Peripheral processor security in Mac computers
All modern computing systems have many built-in peripheral processors dedicated to tasks such as networking, graphics, power management, and more. These peripheral processors are often single-purpose and are much less powerful than the primary CPU. Built-in peripherals that don’t implement sufficient security become an easier target for attackers to exploit, through which they can persistently infect the operating system. Having infected a peripheral processor firmware, an attacker could target software on the primary CPU or directly capture sensitive data (For example, an Ethernet device could see the contents of packets that aren’t encrypted.)
Whenever possible, Apple works to reduce the number of peripheral processors necessary and to avoid designs that require firmware. But when separate processors with their own firmware are required, efforts are taken to help ensure an attacker can’t persist on that processor. This can be by verifying the processor in one of two ways:
Running the processor so that it downloads verified firmware from the primary CPU on startup
Having the peripheral processor implement its own secure boot chain, to verify the peripheral processor firmware every time the Mac starts up
Apple works with vendors to audit their implementations and enhance their designs to include desired properties such as:
Ensuring minimum cryptographic strengths
Ensuring strong revocation of known bad firmware
Disabling debug interfaces
Signing the firmware with cryptographic keys that are stored in Apple-controlled hardware security modules (HSMs)
In recent years, Apple has worked with some external vendors to adopt the same “Image4” data structures, verification code, and signing infrastructure used by Apple silicon.
When neither storage-free operation nor storage plus secure boot is an option, the design mandates that firmware updates be cryptographically signed and verified before the persistent storage can be updated.