[ctwentz]

The T2 is utilizing a physically unclonable function (PUF) and TRNG to create a public/private device key pair on die. At manufacturing, the T2 exposes the device public key to Apple, Apple signs with a group key posted to their CA. This is why they say they can revoke privileges via the CA. It's unclear to me whether the T2 regenerates this key pair each time it is requested, or whether it is encrypted and stored in memory. In the event the latter is the case, the encryption is being performed inside the secure enclave. "Secure enclave" used here is almost certainly distinct from Intel SGX, ARM TrustZone and the like. The page tables are protected. Row Hammer, Spectre, Meltdown and Foreshadow do not apply to something like T2, as the OS is considered trusted. The fundamental challenge that e.g. Intel's SGX has over this type of architecture is that a dedicated security co-processor doesn't need to maintain speculative execution behaviors necessitated by performance requirements, which expose numerous sidechannel attacks, and likely has minimal need to assume untrusted code operating in the T2 OS.