Apple T2

General information
Launched	December 14, 2017
Discontinued	June 5, 2023
Designed by	Apple Inc.
Common manufacturer	TSMC[1]
Product code	APL1027
Cache
L1cache	Per core: 126 KB instruction + 126 KB data[1]
L2 cache	3 MB shared[1]
Architecture and classification
Application	Security, Controller
Technology node	16 nm[1]
Microarchitecture	ARMv8: "Hurricane"/"Zephyr" ARMv7: Cortex-A7
Instruction set	ARMv8.1-A:A64,A32,T32 ARMv7-A:A32
Physical specifications
Cores	4 (2× Hurricane + 2× Zephyr)[1]
Products, models, variants
Variant	Apple A10
History
Predecessor	Apple T1

TheApple T2 (Apple's internal name is T8012)^[2] security chip is asystem on a chip (SoC) tasked with providing security and controller features to Apple'sIntel basedMacintosh computers. It is a64-bitARMv8 chip and runsbridgeOS.^[3][4] T2 has its own RAM and is essentially a specialembedded controller of its own, running in parallel to and responding to requests by the main computer that the user interacts with.

The main application processor in T2 is a variant of theApple A10, which is a64-bitARMv8.1-A based CPU.^[1] It is manufactured byTSMC on their 16 nm process, just as the A10. Analysis of the die reveals a nearly identical CPU macro as the A10 which reveals a four core design for its main application processor, with two large high performance cores, "Hurricane", and two smaller efficiency cores, "Zephyr". Analysis also reveals the same amount of RAM controllers, but a much reduced GPU facility; three blocks, only a quarter the size compared to A10.^[1]

The die measures 9.6 mm × 10.8 mm, a die size of 104 mm², which amounts to about 80% of the size of the A10.^[1]

It serves as a co-processor to its Intel based host, providing of facilities for handling a variety of functions not present in the host. It is designed to stay active even if the main computer is in a halted low power mode. The main application processor in T2 is running an operating system calledbridgeOS.

The secondary processor in T2 is an 32-bit ARMv7-A based CPU calledSecure Enclave Processor (SEP) which has the task of generating and storing encryption keys. It is running an operating system called "sepOS" based on theL4 microkernel.^[5]

The T2 module is built as apackage on a package (PoP) together with its ownLP-DDR4 RAM. Mac configurations with 1 TB of SSD storage or greater receive 2 GB LP-DDR4, while lower storage configurations receive 1 GB.^[6]

ThebridgeOS of Apple T2 is stored in a firmware partition of the Mac's built-inSSD, which is hidden in macOS and Windows.^[7]

The T2 communicates with the host via a USB-attachedEthernet port.^[3]

There are numerous features regarding security, including:

• The SEP is used for handling and storingencryption keys, including keys forTouch ID,FileVault, macOSKeychain, andUEFI firmware passwords. It also stores the machine'sunique ID (UID) and group ID (GID).^[8][9][5]
• An AES Crypto Engine implementingAES-256 and a hardwarerandom number generator.^[5]
• A Public Key Accelerator is used to perform asymmetric cryptography operations likeRSA andelliptic-curve cryptography.^[5]
• Astorage controller for the computer'ssolid-state drive, including always on, on-the-fly encryption and decryption of data to and from it.^[4][9][10]

The T2 is integral in theboot sequence and upgrading ofoperating systems, not allowing unsigned components to interfere.^{[4][8][9][10]}

There are other facilities present not directly associated with security.

• Controllers for microphones, camera, ambient light sensors andTouch ID.^[8][9][10]

• Image coprocessor enabling accelerated image processing and quality enhancements such ascolor,exposure balance, and focus for the iMac Pro'sFaceTime HD camera.^[8][10]
• Video codec enabling accelerated encoding and decoding ofH.264 andH.265.^[11]
• Controller for atouchscreen, implemented as the Touch Bar in portable Macintosh computers.^[9]
• Speech recognition used in the"Hey Siri" feature.^[9]
• Monitoring and controlling of the machine state, including a system diagnose server and thermals management.^[10][3]
• Speaker controller.^[8][10]

The Apple T2 was first released in theiMac Pro in late 2017.^[10]

On July 12, 2018, Apple released an updatedMacBook Pro that includes the T2 chip, which among other things enables the"Hey Siri" feature.^[12][13]

On November 7, 2018, Apple released the updatedMac Mini andMacBook Air models with the T2 chip.^[14][15]

On August 4, 2020, a refresh of the 5KiMac was announced, including the T2 chip.^[16]

The functionality of the T2 chip is incorporated in Apple'sM-series CPUs, thus eliminating the need for a separate chip inApple silicon-powered computers.^[5] The T2 chip was discontinued with the completion of theMac transition to Apple silicon in June 2023.

In October 2019 security researchers began to theorize that the T2 might also be affected by thecheckm8 bug as it was roughly based on the A10 design from 2016 in the original iMac Pro.^[17] Rick Mark then ported libimobiledevice to work with the Apple T2 providing afree and open source solution to restoring the T2 outside ofApple Configurator and enabling further work on the T2.^[18] On March 6, 2020, a team of engineers dubbedT2 Development Team exploited the existing checkm8 bug in the T2 and released the hash of a dump of the secureROM as a proof of entry.^[19] Thecheckra1n team quickly integrated the patches required to supportjailbreaking the T2.^{[20][21][22][23]}

The T2 Development Team then used Apple's undocumented vendor-defined messages overUSB power delivery to be able to put a T2 device intoDevice Firmware Upgrade mode without user interaction. This compounded the issue making it possible for any malicious device tojailbreak the T2 without any interaction from a custom charging device.^[24][25][26]

Later in the year the release of the blackbird SEP vulnerability further compounded the impact of the defect by allowingarbitrary code execution in the T2 Secure Enclave Processor.^[27] This had the impact of potentially affecting encrypted credentials such as theFileVault keys as well as other secureApple Keychain items.

Developer Rick Mark then determined that macOS could be installed over the same iDevice recovery protocols, which later ended up true of the M1 series of Apple Macs.^[28] On September 10, 2020, a public release of checkra1n was published that allowed users to jailbreak the T2.^[29][30] The T2 Development Team created patches to remove signature validation from files on the T2 such as the MacEFI as well as the boot sound. Members of the T2 Development Team begin answering questions in industrySlack instances.^[31] A member of the security community from IronPeak used this data to compile an impact analysis of the defect, which was later corrected to correctly attribute the original researchers^[32] The original researchers made multiple corrections to the press that covered the IronPeak blog.^[33]

In October 2020, a hardware flaw in the chip's security features was found that might be exploited in a way that cannot be patched, using a similar method as the jailbreaking of the iPhone with A10 chip, since the T2 chip is based on the A10 chip. Apple was notified of this vulnerability but did not respond before security researchers publicly disclosed the vulnerability.^[34] It was later demonstrated that this vulnerability can allow users to implement customMac startup sounds.^[35][36]

• iMac Pro
• MacBook Pro (13-inch, 2018, Four Thunderbolt 3 ports)
• MacBook Pro (15-inch, 2018)
• Mac mini (2018)
• MacBook Air (2018)
• MacBook Pro (13-inch, 2019)
• MacBook Pro (15-inch, 2019)
• MacBook Air (2019)
• MacBook Pro (16-inch, 2019)
• Mac Pro (2019)
• MacBook Pro (13-inch, Early 2020)
• MacBook Air (Early 2020)^[37]
• iMac (27-inch, 2020)

• Apple silicon, range of ARM-based processors designed by Apple for their products
• Apple A10
• bridgeOS
• Secure cryptoprocessor

• Apple silicon

• CS1 Dutch-language sources (nl)
• CS1 maint: numeric names: authors list
• Articles with short description
• Short description is different from Wikidata