Apple Support Document reveals mid-production hardware changes on the A12, A13, and S5 processors. Such changes are sporadic, and Apple seems to have upgraded the Secure Enclave hardware feature in a slew of devices released fall of last year.
The Secure Enclave is a coprocessor that isolates the main processor to add an extra layer of security. It is used in some versions of iPhone, iPad, Mac, Apple TV, Apple Watch, and HomePod. Furthermore, the Secure Enclave communicates with the main processor via shared memory data buffers.
Updated Apple Support document reads as follows,
Note: A12, A13, S4, and S5 products first released in Fall 2020 have a 2nd-generation Secure Storage Component; while earlier products based on these SoCs have 1st-generation Secure Storage Component.
The Secure Enclave is used by authentication hardware like Touch ID and Face ID. This way, the sensitive information is isolated from the rest of the hardware. Furthermore, there are multiple versions of Secure Enclave used in different Apple devices. For instance, older devices have a different version of Secure Enclave as opposed to recent ones.
Apple’s support document is not clear, and also some of the information seems erroneous. It mentions A13 devices “first releases in Fall 2020 have the 2nd generation Secure Storage Component.” However, Apple didn’t release any device with A13 chip in the fall of last year.
Differences between Secure Enclave
The 2nd-generation Secure Storage Component adds counter lockboxes. Each counter lockbox stores a 128-bit salt, a 128-bit passcode verifier, an 8-bit counter, and an 8-bit maximum attempt value. Access to the counter lockboxes is through an encrypted and authenticated protocol.
Counter lockboxes hold the entropy needed to unlock passcode-protected user data. To access the user data, the paired Secure Enclave must derive the correct passcode entropy value from the user’s passcode and the Secure Enclave’s UID. The user’s passcode can’t be learned using unlock attempts sent from a source other than the paired Secure Enclave. If the passcode attempt limit is exceeded (for example, 10 attempts on iPhone), the passcode-protected data is erased completely by the Secure Storage Component.
Summing it up, the updated Secure Enclave is designed to resist unauthorized unlock attempts and is more secured than the previous version.
Our Take
It looks like Apple updated Secure Enclave in all newly manufactured devices. In other words, the new iPhone XR, iPhone 11, iPhone SE, iPad mini, Apple Watch SE, and HomePod mini. Apple made the changes to Secure Enclave in 2020; however, Apple updated support documents a year later in 2021. Perhaps, the “second-generation” Secure Enclave storage chip is designed to thwart attempts by cracking devices like GrayKey.
[via Apple Support Document]