Activated by the T2 chipset, new generations of Macbook Pro and iMac Pro are secured to reduce many software and hardware-based attacks against the very first tags performed during the boot-up process. By deleting the flash memory chip containing UEFI firmware and using chipset functionality that is usually reserved for server architectures, T2 can dynamically provide and validate UEFI payload content while driving.
We have spent a long time looking at T2 and have written a paper that describes the technical details of what actually happens when the power button is pressed. T2 is a great first step in the right direction, but there is still room for improvement in the safe boot process on an Apple T2 enabled device.
The full report is here.
If you clone your OS disk from another machine, the user will not have a secure Token, which means no FileVault. It is also not possible to add a Token to a user if no user has one.
On many Macs with T2 chips, recovery mode is much slower. Unless you use the built-in keyboard on a portable model, you must almost connect the wireless keyboard to your Mac using the charging cord so that it is available via USB instead of Bluetooth. Then you will probably keep Command-R forever before your Mac finally displays the default recovery options.
The latest option, the T2-specific boot security utility, does not appear in these options, but opens from the menu.
This may seem strange, but it does not seem possible to get a Mac with a T2 chip to boot from an unencrypted internal hard drive: that disk will always be encrypted, regardless of whether you turn FileVault & # 39; of & # 39; or on. The difference it does is that if you choose FileVault to be "off", the encryption will be locked using only the internal hardware UID (held in T2's Secure Enclave), and will not use your password as well.
Earlier: MacBook T2 will prevent bugging on the microphone.
Stay up-to-date by subscribing to the RSS feed for this post.