Apple made unusual mid-range hardware changes to the A12, A13 and S5 processors on its devices in the fall of 2020 to upgrade the secure storage component, according to Apple support documents.
/article-new/2019/10/a13-bionic-mockup.jpg?resize=560%2C373&ssl=1)
According to an Apple support page, viewed by the Twitter user Andrew Pantyukhin, Apple changed the secure enclave in several products in the fall of 2020:
Note: A12, A13, S4, and S5 products first launched in the fall of 2020 have a 2nd generation secure storage component; while previous products based on these SoCs have a first-generation secure storage component.
Secure Enclave is a coprocessor used for data protection and authentication with Touch ID and Face ID. The purpose of secure locking is to manage keys and other information, such as biometrics, that are sensitive enough not to be managed by the application’s processor. This data is stored in a secure storage component within the secure enclave, which is the specific part that Apple changed last year.
The explanation in Apple’s support document suggests, at the very least, that the eighth-generation input iPad, Apple Watch SE, and HomePod mini have different secure locks compared to older devices with the same chip.
However, there are several discrepancies in Apple’s supporting document. Although Apple explained that A13 products “first released in the fall of 2020 have a second-generation secure storage component,” there was no device with an A13 chip “first released in the fall of 2020.” . The last device to be launched with an A13 chip was the iPhone SE in February 2020.
If the change were made, in fact, to all newly manufactured devices with these chips, the affected devices would include the iPhone XR, iPhone 11, iPhone SE and fifth-generation iPad mini, as well as the recently released eighth. PiPad generation, Apple Watch SE and HomePod mini.
/article-new/2021/04/a12-a13-s5-secure-enclave-change.jpg?resize=560%2C598&ssl=1)
To make things more confusing, the table showing the multiple versions of the secure interlock storage component in the feature summary omits the S4 chip with a second-generation secure storage component, despite the rubric stating that this chip exists. The Apple Watch Series 4 was the only device to contain an S4 chip and that device was discontinued in September 2019, long before the second-generation secure storage component was implemented in the fall of 2020. It is possible that part of this lack of clarity is related to the fact that the A12 and S4 chips introduced the first-generation secure storage component.
New devices that contain the A14 or S6 chip, such as the iPhone 12, iPhone 12 Pro, fourth-generation iPad Air, and Apple Watch Series 6, also have the updated secure interlock.
Although the change occurred in the fall of 2020, the support document detailing the alteration was released in February 2021. The full version of the Apple Platform Security Guide reveals the difference between the first and second generation secure storage component:
The 2nd generation secure storage component adds meter lock boxes. Each counter lock box stores a 128-bit salt, a 128-bit password checker, an 8-bit counter, and a maximum 8-bit retry value. Access to the safes of the meter is done through an encrypted and authenticated protocol.
The counter lock boxes contain the entropy required to unlock password-protected user data. To access user data, the paired secure interlock must derive the correct password entropy value from the user interlock password and the secure interlock UID. The user’s password cannot be learned using unlock attempts sent from a source other than the paired secure lock. If the password attempt limit is exceeded (for example, 10 attempts on the iPhone), the secure storage component completely deletes password-protected data.
It seems to be a measure against password-breaking devices, such as GrayKey, that try to break into iPhones by guessing the password an infinite number of times, using exploits that allow infinitely incorrect password attempts.
It seems that the change was significant enough for Apple to justify an entire “second generation” version of Secure Enclave storage. It is certainly unusual for Apple to change a component of its chips in mid-production, but Apple probably finds the security update important enough to implement it on all relevant new devices starting in the fall, rather than devices. with the last A14. and S6 chips.