Apple made changes to its A12, A13, and S5 system-on-chips to alter the Secure Enclave in Fall 2020, to include a second-generation model of the Secure Enclave.
Whenever Apple introduces new features to its chips, it typically does so as part of a number of other updates included in a new chip release. While unlikely to occur on pre-existing chips normally, it appears that Apple has adjusted some of the designs of its earlier SoCs to make them more secure.
In an update to the Apple Platform Security pages spotted by Andrew Pantyukhin on Twitter and first reported by MacRumors, a PDF version of the guide includes a table showing the feature summaries of the Secure Enclave, with changes that occurred in fall 2020. The Secure Enclave is used to store highly sensitive details relating to security, such as Face ID or Touch ID data, instead of handing off that work to the application processor.
In the table, the A12, A14, and S5 SoCs all have two lines instead of one, covering “Apple devices released before Fall 2020” and after that time. For all three pre-Fall 2020 lines, Apple lists the SoCs as having “Secure Storage Component Gen 1,” while the later versions have “Secure Storage Component gen 2.”
Based on the wording of the text, it seems that the change in the Secure Enclave only affects product lines released from fall 2020 onward, while existing devices using the chips continued to use the earlier variant. While it is feasible for Apple to apply the change to existing products using those chips beyond fall 2020, it seems unlikely for Apple to make such a change without first announcing it.
In terms of hardware affected by the change, it seems that the iPad, HomePod mini, and Apple Watch SE are the only devices released using older chip designs that have the updated Secure Enclave.
Newer SoCs introduced during the fall of 2020, namely the A14 and the S6, already have the second-generation Secure Enclave. A-series chips from the A8 to A11, the S3, and the T2 are all listed as having “EEPROM” for their secure storage component.
The exception to the list is the S4, used in the Apple Watch Series 4, as it uses “Secure Storage Component gen 1” without any changes to give it “gen 2.” It is likely due to Apple having discontinued the Apple Watch Series 4, and that no other products used the S4 SoC.
In terms of what is actually different in the second-generation Secure Enclave, Apple describes it as including “counter lockboxes,” which stores a 128-bit salt, a 128-bit passcode verifier, an 8-bit counter, and an 8-bit maximum attempt value. It is likely this was introduced as a countermeasure for hardware such as GrayShift’s GrayKey or services offered by Cellebrite to unlock and extract files from iOS devices.
In August 2020, security researchers revealed a vulnerability in the Secure Enclave processor that attacked a memory controller, allowing attackers to alter how memory was used.
Stay on top of all Apple news right from your HomePod. Say, “Hey, Siri, play AppleInsider,” and you’ll get latest AppleInsider Podcast. Or ask your HomePod mini for “AppleInsider Daily” instead and you’ll hear a fast update direct from our news team. And, if you’re interested in Apple-centric home automation, say “Hey, Siri, play HomeKit Insider,” and you’ll be listening to our newest specialized podcast in moments.