The secure nonvolatile storage is used for all anti-replay services in the Secure Enclave. Anti-replay services on the Secure Enclave are used for revocation of data over events that mark anti-replay boundaries including, but not limited to, the following:
Passcode change
Enabling or disabling Optic ID, Face ID, or Touch ID
Adding or removing an Optic ID eye, a Face ID face, or a Touch ID fingerprint
Optic ID, Face ID, or Touch ID reset
Adding or removing an Apple Pay card
Erase All Content and Settings
On architectures that don’t feature a Secure Storage Component, EEPROM (electrically erasable programmable read-only memory) is utilized to provide secure storage services for the Secure Enclave. Just like the Secure Storage Components, the EEPROM is attached and accessible only from the Secure Enclave, but it doesn’t contain dedicated hardware security features nor does it guarantee exclusive access to entropy (aside from its physical attachment characteristics) nor counter lockbox functionality.
On Apple Vision Pro, the Secure Neural Engine converts images into a mathematical representation of a user’s eyes. On devices with Face ID (not Touch ID), the Secure Neural Engine converts 2D images and depth maps into a mathematical representation of a user’s face.
On A11 through A13 SoCs, the Secure Neural Engine is integrated into the Secure Enclave. The Secure Neural Engine uses direct memory access (DMA) for high performance. An input-output memory management unit (IOMMU) under the sepOS kernel’s control limits this direct access to authorized memory regions.
Starting with A14, M1, or later SoCs, the Secure Neural Engine is implemented as a secure mode in the Application Processor’s Neural Engine. A dedicated hardware security controller switches between Application Processor and Secure Enclave tasks, resetting Neural Engine state on each transition to keep Optic ID or Face ID data secure. A dedicated engine applies memory encryption, authentication, and access control. At the same time, it uses a separate cryptographic key and memory range to limit the Secure Neural Engine to authorized memory regions.
All electronics are designed to operate within a limited voltage and frequency envelope. When operated outside this envelope, the electronics can malfunction and then security controls may be bypassed. To help ensure that the voltage and frequency stay in a safe range, the Secure Enclave is designed with monitoring circuits. These monitoring circuits are designed to have a much larger operating envelope than the rest of the Secure Enclave. If the monitors detect an illegal operating point, the clocks in the Secure Enclave automatically stop and don’t restart until the next SoC reset.
Note: A12, A13, S4, and S5 products first released in Fall 2020 have a 2nd generation Secure Storage Component, whereas while earlier products based on these SoCs have a 1st generation Secure Storage Component.
SoC
Memory Protection Engine
Secure Storage
AES Engine
PKA
A8
Encryption and authentication
EEPROM
Yes
No
A9
DPA protection
A10
DPA protection and lockable seed bits
OS-bound keys
A11
Encryption, authentication, and replay prevention
A12 (Apple devices released before Fall 2020)
Secure Storage Component gen 1
A12 (Apple devices released after Fall 2020)
Secure Storage Component gen 2
A13 (Apple devices released before Fall 2020)
OS-bound keys and Boot Monitor
A13 (Apple devices released after Fall 2020)
A14–A18
S3
S4
S5 (Apple devices released before Fall 2020)
S5 (Apple devices released after Fall 2020)
S6–S9
T2
M1–M4