; Date: Sun Aug 04 2019
Apple claims the T2 security chip does all kinds of wonderful things for personal security. It ensures that only a secure authorized operating system can boot the computer, preventing errant KEXT's from creating gaping security holes, for example. And, the T2 chip shuts off the internal microphone to prevent eavesdropping. But if the T2 chip dies the computer is completely unrepairable.
Let's quickly review some aspects of the T2 Security Chip (see What is the T2 Security Chip on modern MacBook's)
- The Secure Enclave on the T2 Security Chip contains a chain of encrypted certificates that are custom-generated for each chip during its manufacture.
- By default the T2 chip encrypts all data on the storage device using those keys.
- Encryption keys stored in the Secure Enclave cannot be retrieved by any means from outside the T2 chip.
- The T2 chip serves many functions including the SATA controller.
The chip does a lot more than that, but that's what is relevant for this posting.
The effect is this:
- A hard disk or SSD from a T2 Security Chip computer cannot be read on a different computer.
The storage device is encrypted using a key which is stored inside the T2 chip. The encryption key is is unique to that T2 chip. Since nobody can retrieve the encryption keys, it is impossible to decrypt the drive anywhere besides the computer.
What happens if the T2 Security Chip goes bad? Not only will the computer not boot, you cannot retrieve the data off the storage device.
Traditionally if a computer went bad you'd stick the drive in an external case, connect it to the USB port of another computer, and you'd have your data back. Or maybe you wouldn't do it, but a repair technician at a shop would do it. I've done this many times myself.
But with Apple's T2 Security Chip, the data on the storage device is locked to the specific computer.
Having done this is good for Apple. Apple swears up and down this change was done for us, the customer. And maybe the T2 chip increases security enough to help us. But this also helps Apple increase sales.
How does this increase Apple sales? It encourages you to buy a whole new computer.
Since the T2 Security Chip cannot be replaced, because it is unique to each computer. At best the entire logic board could be replaced, but at a large cost. If the logic board were replaced the data on the storage device would still be lost. The new logic board has a different T2 chip with different encryption keys and cannot decrypt the storage device.
In the attached video Louis Rossmann has a logic board from a recent model 15 inch MacBook Pro. Apple told the owner of that computer it had had extensive liquid damage. Louis demonstrates there is no liquid damage to that board, and instead shows that the T2 Security Chip is running very hot and is therefore broken.
From that point he goes on a bit of a rant full of technical slang. The above text is my attempt to translate that to be more understandable.