iMac Pro Features Apple's Custom T2 Chip With Secure Boot Capabilities

Thursday December 14, 2017 9:55 am PST by Joe Rossignol
Apple today confirmed the iMac Pro is equipped with its custom T2 chip for enhanced security and integration. The chip is second-generation silicon, building upon the T1 chip in the latest MacBook Pro with the Touch Bar that authenticates and secures Touch ID and Apple Pay respectively.


The T2 chip integrates several previously separate components, including the system management controller, image signal processor, audio controller, and SSD controller, for expanded capabilities on the iMac Pro.

For instance, Apple says the T2 chip's image signal processor works with the FaceTime HD camera to enable enhanced tone mapping, improved exposure control, and face detection-based auto exposure and auto white balance.

The T2 chip also has a Secure Enclave coprocessor that makes the iMac Pro even more secure with new encrypted storage and secure boot capabilities.
The data on your SSD is encrypted using dedicated AES hardware with no effect on the SSD's performance, while keeping the Intel Xeon processor free for your compute tasks. And secure boot ensures that the lowest levels of software aren't tampered with and that only operating system software trusted by Apple loads at startup.
Cabel Sasser, co-founder of software company Panic, recently shared a few screenshots of the Startup Security Utility powered by the T2 chip.
The settings reveal that users can enable a firmware password to prevent the iMac Pro from starting up from a different hard disk, CD, or DVD without the password. There are also three secure boot options and options to allow or disallow booting from external media devices such as USB and Thunderbolt drives.

"Full security" ensures that only the latest and most secure software can be run. Apple says this mode requires a network connection at the time of software installation. "Medium security" requires verifiable software to boot, but not the latest software, and "no security" lets the operating system boot freely.

iMac Pro became available to order today with 8- to 18-core configurations ranging in price from $4,999 to $13,199 in the United States. 14-core and 18-core models don't ship for an estimated 6-8 weeks.

Related Roundup: iMac Pro
Tag: T2 chip
Buyer's Guide: iMac Pro (Caution)
[ 70 comments ]

Top Rated Comments

(View all)

Avatar
nikosl7
28 months ago
username: root
pass:<leave empty>

There you go. You are now in.
Rating: 33 Votes
Avatar
guzhogi
28 months ago

wait so isn't T1 in the new MacBook pro ?


Yes, the MBP has a T1. The iMac Pro has a T2. And the T101 will go back in time to kill Sarah Connor. Sorry, couldn't resist.
Rating: 30 Votes
Avatar
Bryan Bowler
28 months ago

Why in the world would anyone buy one of these?


You obviously don’t need one and it’s a secret as to why a lot of folks need one, so I can’t tell you.
Rating: 13 Votes
Avatar
BMcCoy
28 months ago
I wonder if they considered sticking in a FaceID camera?

Presumably they'll show up on all Apple devices over the next couple of years..?
Rating: 12 Votes
Avatar
Zarniwoop
28 months ago
Sunset for Hackintosh era has started.
Rating: 9 Votes
Avatar
guzhogi
28 months ago

Yes, the MBP has a T1. The iMac Pro has a T2. And the T800 will go back in time to kill Sarah Connor. Sorry, couldn't resist.


I just remembered: Apple also has a patent for Liquid Metal. OMG! Apple's SkyNet!
Rating: 9 Votes
Avatar
stabsteer
28 months ago

Why in the world would anyone buy one of these?


Because its awesome and destroys my current iMac for editing.
Rating: 6 Votes
Avatar
deanthedev
28 months ago
Reviewers have benchmarked the SSDs in the new iMac Pro and they are ridiculously fast.

If the T2 chip can perform real-time encryption while maintaining this performance then it’s not some “companion” chip - it would need some serious chops to do this.
Rating: 5 Votes
Avatar
deconstruct60
28 months ago

....

If the T2 chip can perform real-time encryption while maintaining this performance then it’s not some “companion” chip - it would need some serious chops to do this.


Serious chops? No more than most of the other SSD controllers used by mid-upper tier SSDs these days. Sandforce controllers did 'on the fly' encryption more than several years ago. Once Apple takes the SSD controller duties away from a third party SSD controller, being able to do on the fly encrypt is simply just replacing the technological capability of a reasonable 3rd party solution.

AES was selected ( and designed ) to be relatively easy to be implemented in fix transistor logic implementations. The Intel CPUs can pragmatically do on the fly encryption from RAM. It is not so much "chops' as simply allocating sufficient transistor budget.

The bigger issue here is Apple taking that third party SSD position. More than likely this is a SSD that is soldered on logic board (like some recent laptops). A modular SSD that fit into a socket ( even Apple tweaked S2 socket) still has the controller on the card/module. If the controller is inside of this T2 chip then that is most likely soldered to the board. At that point the NAND chips would pragmatically need to be also.


Apple spent $390-400M more than several years ago to buy a SSD controller company ( https://www.macrumors.com/2012/01/10/apple-confirms-acquisition-of-israeli-flash-memory-firm-anobit/), so not particularly surprising they are in process of kicking all the other 3rd parties out of standard Mac configurations across the whole Mac product line.

If forget the boot password , the drive is attached to the logic board, and have turned off booting from external devices .......... a bit more than dead in the water at that point. ( hopefully there is a service port that can trigger a secure erase. )
[doublepost=1513282146][/doublepost]

So what happens when your disk is encrypted but separated from it’s T2 enclave, because the T2 is fried, or another problem occurs with the mainboard that requires the SSD to be migrated to another machine?


This isn't particularly any different than if your current SSD's controller get fried. The SSD is dead. As for other drives FileVault2 , again if your secure boot partition's data is scrambled somehow (i.e., your key storage is nuked ) your disk is pragmatically toast. That current systems have highly approximately the same structural pitfall.

Largely same crypto key storage technique though that is used regularly on an order of magnitude larger number of iOS devices ( relative to number of Macs). Apple could screw it up if sloppy but don't really have an hardware crypto track record for that. Solid state storage that users/kernel can't mess with and extremely low number of writes and mostly read only. The failure modes are going to be relatively very small compared to normal general usage drive storage.



Seems like the T2 is great at protecting the data to be read by anyone, including the owner...


Owner forgetting password or T2 failing to function correctly .... which one is more likely ? I'm sure some owners will get locked out, but the root cause is probably not going to be the T2.
Rating: 5 Votes
Avatar
spoonie1972
28 months ago
Sounds like a great way to make-this-computer-officially-dead after 7 years. That's a ****-ton of money to lock into a computer that Apple deems "end of life" by way of OS updates.
Rating: 4 Votes

[ Read All Comments ]