Apple Platform Security
-
Welcome
-
Introduction
-
-
Services security overview
-
-
Apple Pay overview
-
Apple Pay components
-
Secure Element and NFC controller
-
Payment authorization
-
Transaction-specific dynamic security code
-
Pay with credit and debit cards in stores
-
Pay with credit and debit cards within apps
-
Paying with credit and debit cards on the web
-
Contactless passes
-
Render cards unusable
-
Suspending, removing, and erasing cards
-
Apple Cash
-
Transit cards
-
Credit and debit cards for transit
-
Student ID cards
-
-
Business Chat
-
FaceTime
-
-
-
Developer Kits overview
-
-
HomeKit identity
-
Communication with HomeKit accessories
-
Local data storage
-
Data synchronization between devices and users
-
Home data and apps
-
HomeKit and Siri
-
HomeKit IP cameras
-
HomeKit routers
-
iCloud remote access for HomeKit accessories
-
HomeKit TV Remote accessories
-
Apple TV profiles for HomeKit homes
-
-
CloudKit
-
SiriKit
-
DriverKit
-
Camera and ARKit
-
-
-
Secure device management overview
-
Pairing model
-
Passcode and password settings management
-
Configuration enforcement
-
Mobile device management (MDM)
-
Automated Device Enrollment
-
Apple Configurator 2
-
Device supervision
-
Device restrictions
-
Activation Lock
-
Lost Mode, remote wipe, and remote lock
-
Screen Time
-
-
Glossary
-
Document Revision History
-
Copyright
DMA protections
To achieve high throughput on high-speed interfaces like PCIe, FireWire, Thunderbolt, and USB, computers must support Direct Memory Access (DMA) from peripherals. That is, they must be able to read and write to RAM without continuous involvement of the Intel CPU. Since 2012, Mac computers have implemented numerous technologies to protect DMA, resulting in the best and most comprehensive set of DMA protections on any PC.
Intel Virtualization Technology for Directed IO (VT-d) is a technology which has been supported since 2012 on Mac computers, and was first used in OS X 10.9 in order to protect the kernel from being overwritten in memory by malicious peripherals. However, malicious peripherals can also overwrite code and data while the UEFI firmware is running in order to compromise boot security. macOS 10.12.3 updated the UEFI firmware for all VT-d-capable Mac computers to use VT-d to protect against malicious FireWire and Thunderbolt peripherals. It also isolates peripherals so that they can see only their own memory ranges, not the memory of other peripherals. For example, an Ethernet peripheral running in UEFI can’t read the memory of a storage peripheral.
DMA protections in UEFI firmware were further improved in macOS 10.13 to move the initialization earlier in the UEFI firmware startup sequence to protect against:
Malicious internal peripheral processors on the PCIe bus
A class of Message Signaled Interrupt (MSI) attacks presented by security researchers
All Mac computers with the Apple T2 Security Chip come with further improved DMA protections, where the initialization is performed as early as possible. Specifically, the protection is enabled before any RAM is even available to the UEFI firmware. This protects against any compromised PCIe bus zero devices (such as the Intel ME) that may be running and capable of DMA at the instant that RAM becomes available. This protection was also added to Mac computers without a T2 chip in macOS 10.15.