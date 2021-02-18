Apple shares security guides for each new release of its operating systems, and it updates them every year. Today it shared its 2021 Platform Security guide that examines all of its platforms. There’s also a web page dedicated to it.
2021 Platform Security
The guide [PDF] is organized into sections covering: Hardware security and biometrics, system security, encryption and data protection, app security, services security, network security, developer kits, secure device management, and security certifications and programs.
Here are a couple of new bits involving Apple’s M1 processor:
Starting with A14 and the M1, the Secure Neural Engine is implemented as a secure mode in the Application Processor’s Neural Engine. A dedicated hardware security controller switches between Application Processor and Secure Enclave tasks, resetting Neural Engine state on each transition to keep Face ID data secure. A dedicated engine applies memory encryption, authentication, and access control. At the same time, it uses a separate cryptographic key and memory range to limit the Secure Neural Engine to authorized memory regions.
And:
time a file on the data volume is created, Data Protection creates a new 256-bit key (the per-file key) and gives it to the hardware AES Engine, which uses the key to encrypt the file as it is written to flash storage. On A14 and M1 devices, the encryption uses AES- 256 in XTS mode where the 256-bit per-file-key goes through a Key Derivation Function (NIST Special Publication 800-108) to derive a 256-bit tweak and a 256-bit cipher key.