undefined | Better HN

0 pointsthomaspurchas10y ago0 comments

You seem to make the assumption that corrupting the secure enclave firmware is easy, or that its RAM is exposed of chip.

The entire point of an secure enclave is to completely enclose all the hardware and software needed to generate encryption keys in a single lump of silicon.

This means that all of its processing requirements (it's a complete co-processor) are on chip, it's RAM is on chip (not shared with it the main CPU, and probably has ECC), and it uses secure boot to cryptographically verify that it's firmware has not been tampered with before it starts executing. Additionally it may even be possible to update it bootloader in the future to prevent further updates without a passcode.

The end result means that attacking a secure element is very difficult. There are few, if any, exposure points that would allow you to fiddle with its internal state, and any attempts too should result in the secure element wiping stored keys, making further attacks a moot point.

0 comments

cromwellian10y ago

I don't make that assumption, I worked on developing TPM modules myself in the 90s at research labs, and our prototypes had even more anti-tampering than so far revealed about Secure Enclave/Trustzone: we had micro-wire-meshes in the packaging to self-destruct on drilling or decapping, we had anti-ultrasonic and anti-TEMPEST shielding. I'm pretty familiar.

The point is that state actors have vast resources to pull off these attacks. The NSA intercepted hardware in the supply chain to implant attacks as documented by Snowden. Stuxnet was a super-elaborate attack on the physical resources of the Iranian nuclear program, which was obviously carried out with supply chain vendors like Siemens. Apple uses Samsung as a supplier, and the US government has very high level security arrangements with the South Koreans, so how do we know the chips haven't been compromised even before they arrive at Foxconn for assembly?

Here's an example of a TPM module being decapped and hacked at Blackhat: https://redmondmag.com/articles/2010/02/03/black-hat-enginee...

Attacks have been shown using silicon doping, security fuse cutting, etc.

If the NSA really wanted to crack the Secure Enclave, I have very little doubt about their ability to carry it out.

jonknee10y ago

> If the NSA really wanted to crack the Secure Enclave, I have very little doubt about their ability to carry it out.

Well they certainly really want to crack the Secure Enclave, so maybe this case is moot.

1 more reply

nickik10y ago

Interesting stuff, cool post.

Seems to me when we are at a point were every time the NSA wants to get at some data, the have to start a heroic effort of attacking low level hardware, we are in a pretty good state in terms of device security.

MertsA10y ago

>it's RAM is on chip (not shared with it the main CPU, and probably has ECC)

Apple's security guide would indicate otherwise, look on page 7. The secure enclave encrypts its portion of memory, but it isn't built into the secure enclave itself.

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

j / k navigate · click thread line to collapse