Protecting keys in alternate boot modes
Data Protection is designed to provide access to user data only after successful authentication, and only to the authorized user. Data protection classes are designed to support a variety of use cases, such as the ability to read and write some data even when a device is locked (but after first unlock). Additional steps are taken to protect access to user data during alternate boot modes such as those used for Device Firmware Update (DFU) mode, Recovery mode, Apple Diagnostics, or even during software update. These capabilities are based on a combination of hardware and software features, and have been expanded as Apple-designed silicon has evolved.
A14, M1, S6
Recovery: All Data Protection Classes protected
Alternate boots of DFU mode, Recovery, and software updates: Class A, B, and C data protected
The Secure Enclave AES Engine is equipped with lockable software seed bits. When keys are created from the UID, these seed bits are included in the key derivation function to create additional key hierarchies. How the seed bit is used varies according to the system on chip:
Starting with the Apple A10 and S3 SoCs, a seed bit is dedicated to distinguish keys protected by the user’s passcode. The seed bit is set for keys that require the user’s passcode (including Data Protection Class A, Class B, and Class C keys), and cleared for keys that don’t require the user’s passcode (including the file system metadata key and Class D keys).
In iOS 13 or later and iPadOS 13.1 or later on devices with an A10 or later, all user data is rendered cryptographically inaccessible when devices are booted into Diagnostics mode. This is achieved by introducing an additional seed bit whose setting governs the ability to access the media key, which itself is needed to access the metadata (and therefore contents of all files) on the data volume encrypted with Data Protection. This protection encompasses files protected in all classes (A, B, C, and D), not just those that required the user’s passcode.
On A12 SoCs, the Secure Enclave Boot ROM locks the passcode seed bit if the Application Processor has entered Device Firmware Upgrade (DFU) mode or Recovery mode. When the passcode seed bit is locked, no operation to change it is allowed. This is designed to prevent access to data protected with the user’s passcode.
Restoring a device after it enters DFU mode returns it to a known good state with the certainty that only unmodified Apple-signed code is present. DFU mode can be entered manually.
See the following Apple Support articles on how to place a device in DFU mode:
iPhone, iPad, iPod touch
A Mac with Apple silicon