
Intel driven MacBook Pros have secondary ARM processor for Touch ID and security - eth0up
https://techcrunch.com/2016/10/28/apples-new-intel-driven-macbooks-have-a-secondary-arm-processor-that-runs-touch-id-and-security/
======
ginko
Not really that surprising. Your average laptop nowadays probably has more ARM
cores than x86 cores. They're in all kinds of peripherials like wifi
controllers, power supplies, harddisk controllers, GPU job control, heck even
AMD's recent APUs come with an integrated Cortex-A5.[1] ARM cores are
everywhere, people just don't know about it.

[1][http://www.anandtech.com/show/6007/amd-2013-apus-to-
include-...](http://www.anandtech.com/show/6007/amd-2013-apus-to-include-arm-
cortexa5-processor-for-trustzone-capabilities)

~~~
userbinator
Laptops have what is known as an "embedded controller" to handle peripherals
like keyboard/touchpad, power management, and fan control. Most of them seem
to be low-power 8/16-bit MCUs like 8051 and H8S, but I wouldn't be surprised
if newer ones use ARM too.

...and don't forget Intel ME, which is not ARM but another processor in the
system.

~~~
StringyBob
System-on-chips (most big chips these days) are so complex they usually have
the same thing one level deeper: On chip embedded controllers, often an mcu.

You might find that 'one arm chip' has many independent arm cpu cores carrying
out different functions mostly completely hidden from end user behind firmware
or rom

~~~
makomk
Amusingly enough, the embedded controller on some of the newer Allwinner ARM
SoCs is apparently OpenRISC of all things. Guess it saved them some licensing
fees.

------
fowlerpower
The one thing I will say is even though Apple's software quality lately has
taken a hit. Their commitment to security has only gotten stronger.

The secure enclave, hardware level security, all of the things that came up
with the FBI request have become a self serving prophecy for them.

I applaud them for this and it looks like the MacBook Pro is going to be one
of the most secure laptops around. Nothing is perfect of course.

Even though I applaud them for this I am still pissed about the headphone
jack.

~~~
zanethomas
I have a nagging suspicion that Apple will eventually lock the hardware and OS
down to the point where their computers will only run software delivered
through the app store.

~~~
jfoster
It certainly seems like they want to move in that direction, but it's critical
that they retain the developer segment. It'll be game over for them if
developers are unable to be productive on a Mac.

There's likely a way to make both of these things happen, to some degree. For
instance, they could start with just locking Macs to the app store as a
default that is changeable. (similar to how Android is locked down)

~~~
zanethomas
Do you think they still care about developers or other creative types? Judging
by what the did to Final Cut and then to the Mac Pro line I'm not so sure.

There are several good alternatives to the Mac Books now and I'll be moving to
Linux for my development efforts the next time I buy a machine.

~~~
apendleton
I wouldn't lump "developers" together with "other creative types." They depend
on developers to make the apps that make their devices desirable. If devs
stopped buying macs there would be nobody to make apps for iOS. They don't
depend on film editors in anywhere near the same way.

~~~
jfoster
Exactly. I suppose if they did lose the developer segment they could open up
iOS development on other platforms to remain relevant, but that whole path
just seems very undesirable and a great thing to avoid.

------
denzil_correa
Wired has an interesting and in-depth article on this. Also, the camera seems
to have more security than earlier.

> In the MacBook, the Secure Enclave is part of Apple’s new T1 processor,
> meaning it’s tied explicitly to the touch bar and Touch ID. It’s also,
> though, in charge of your webcam, a small but important difference.

> “In previous generations of Macbook the webcam light was software
> controlled—which meant that an attacker who compromised your OS could
> potentially activate the camera without turning on the light,” says Johns
> Hopkins University cryptography expert Matthew Green. “Adding a separate
> secure processor could make this much harder to do.”

[https://www.wired.com/2016/10/macbook-pro-touch-id-secure-
en...](https://www.wired.com/2016/10/macbook-pro-touch-id-secure-enclave/)

~~~
revelation
Or, you know, spare one of the trillion transistors to switch power to 1)
camera and 2) LED.

There, solved. No full-powered ARM needed to control an indicator light.

~~~
johnm1019
I'm guessing it's not that simple because there may be situations when the
camera has power and is capturing an image (think hot-standby) but is not
transmitting image data to the world outside the sensor package.

~~~
adrianN
I don't want my camera to capture pictures without the LED being on, ever.

~~~
vigilant
And what if I turn on the camera for a tenth of a second, take a picture, and
turn it off. You won't notice the LED being on for a tenth of a second.
Software makes it easier to prevent such things.

~~~
GuiA
Just wrote a test app on macOS that initializes the camera, gets the first
video frame, and turns it off. You definitely notice the bright green LED
being on for a split second.

~~~
culturestate
You only notice it immediately if you're looking for it. I've gone minutes
with the camera on before noticing the LED while I was distracted by other
stuff on the screen.

------
ttul
I think it's a pity that the Touch Bar was not designed with a dedicated area
that can only be rendered by the T1 processor directly. If that were the case,
then network services could communicate directly with the user via the Touch
Bar, authenticating themselves with cryptography that cannot be broken by
anything running on the main system processor.

This would have provided a truly trusted mechanism for apps to communicate
with the user. For instance, your bank could authenticate itself with you via
the Touch Bar.. If the Touch Bar display is controlled from the host OS, then
malware could pretend to be your bank, on the Touch Bar.

~~~
marklyon
But that would complicate using it as a screen for displaying ads.

~~~
visarga
AdBlock problem solved! Just get everyone to use keyboards that have dedicated
ad screens embedded inside.

------
userbinator
_Though transmission of data is handled by the main processor, Apple Pay
dialogs on screen are completely rendered by the T1 to take advantage of the
Secure Enclave, a portion of the chip set aside for personal information just
as it is in iPhones and Apple Watch devices._

That sounds similar in concept to Intel ME, another "secure" coprocessor that
can do a lot of other things that the more paranoid are freaking out over...

It also makes me wonder if these MacBook Pros also have Intel ME.

~~~
pcwalton
> It also makes me wonder if these MacBook Pros also have Intel ME.

They almost certainly do. Intel won't sell you a CPU without Intel ME.

------
okket
See also:
[https://news.ycombinator.com/item?id=12814655](https://news.ycombinator.com/item?id=12814655)

And: [http://arstechnica.com/apple/2016/10/15-hours-with-
the-13-ma...](http://arstechnica.com/apple/2016/10/15-hours-with-
the-13-macbook-pro-and-how-apples-t1-bridges-arm-and-intel/)

------
krastanov
Any idea whether this secure enclave will work if you are running Linux? (I
like the hardware, but I am more used to the Linux/GNU/gnome software)

~~~
cm3
Given that iSight and Facetime HD cameras required drivers and firmware to get
running under Linux, I would be positively surprised if the new camera is
easier to set up, meaning I don't think it works right now. Even the existing
camera support isn't 100%, with features like suspend/resume being flaky, all
due to it being reverse engineered.

That said, the options for developer laptops has shifted in favor of general
x86 computers, including very light-weight machines and ones with mechanical
keyboards. If I want to use Linux on it, my first choice wouldn't be a
macbook. So, unless you require macos for work, you have have a more diverse
variety of laptops to find one that suites you best.

~~~
krastanov
Sure, but the laptops you describe do not have secure enclave. If I want that
level of security on Linux what can I do?

~~~
johncolanduoni
What would the enclave do for you if you're running an OS that doesn't support
Apple Pay or Touch ID?

~~~
Zoon
It is used for the camera too.

------
memracom
You mean that they are using a tried and proven architecture that helped the
4.77 MHz IBM PC find success in 1982?

Yawn....

The IBM PC keyboard had its own Z-80 CPU way back then and likely every single
PC of any sort since then has done this. And then there are the disk
controller CPUs. Wasn't that introduced around 1984?

~~~
whyenot
Do you have any further information on this? Having opened up an IBM PC
keyboard, and knowing that Z80 CPUs were still fairly expensive in 1982, I'm a
little surprised.

~~~
kps
Intel 8048.

[edit: citation needed?
[http://classiccomputers.info/down/IBM/IBM_PC_5150/IBM_5150_T...](http://classiccomputers.info/down/IBM/IBM_PC_5150/IBM_5150_Technical_Reference_6025005_AUG81.pdf)]

------
oDot
Quick question -- what's so good about ARM specifically? Aren't there other
minimal architectures, maybe even one with lower/no licensing costs?

~~~
r00fus
In short: it's not Intel.

Longer: Intel has continually sucked at mobile (likely due to innovator's
dilemma and it's love-hate relationship with Microsoft which also sucks at
mobile), and this may mean a stronger shift by Apple to integration with it's
priorities (security, iOS/WatchOS friendliness, better battery life).

------
aq3cn
Touch ID, security + Apple pay.

To keep the cash flowing and replace banks.

~~~
samsonradu
Tbh I really see this might happen. They have internationally widespread
devices (unlike banks which don t usually operate in too many countries) they
have superior technology, much easier for clients to use and also a better
reputation than plenty of banks. Then the remaining issue is regulations, can
they solve it? Would an european country back up < 100k deposits for Apple? :)

~~~
aq3cn
They want to be monopoly by entering in our home as an IoT devices, pocket as
a smart phone, desk as a laptop, office as a desktop, road as a car, wallet as
a digital credit card etc. They still have not entered inside our toilet.

I guess most people can see the problem and their potential as our next
dictator.

------
4ad
People who claim that every computer is full of microcontrollers are missing
the point. This is not a microcontroller, it's full SoC running (more or less)
the same kernel used on the main CPU.

It's more similar to the LOM and IPMI systems found on server computers rather
than anything else.

------
mcguire
" _The T1 also sends pixels to the Touch Bar though the MacBook’s main
processor is what actually renders that content which is then sent over._ "

I am a bit worried about the author. Is Matthew having a stroke?

~~~
tekacs
That's a valid (albeit awkward) sentence.

The T1 also sends pixels to the Touch Bar, although the MacBook's main
processor is what actually does the rendering for said pixels (which are
sent).

------
jwatte
And the battery has a MCU for charge management, and the trackpad, and the
keyboard, and ...

------
godmodus
that's nice dear. _insert grandma gif here_

how about more RAM, tho?

------
rasz_pl
Can we expect Error 53 after you spill something on the keyboard destroying
Touch strip = and computer stops booting .. but you have important data on SSD
that is now SOLDERED permanently to the motherboard, and Apple doesnt offer
data recovery (only logic board swap at a low low price of $2/3 whole
computer) so only option is independent repair shop?

~~~
Eric_WVGG
The SSD on the new non-Touch Bar laptop has been confirmed to have a
removable/replaceable SSD. The SSDs on the 2013-2015 Macbook Pros also had
removable SSDs, so there’s little reason to believe the Touch Bar MBPs won’t
either.

