[gorgonzolachz]

Yeah, I've worked with HSMs in the past and to say that it's a challenge to get key material out of them is an understatement. That said, a lot of this depends on the architecture surrounding the HSM - if the key material leaves the HSM at any point, you've basically increased your attack surface from an incredibly secure box to whatever your surrounding interfaces are. At Apple's scale, I have to imagine it's more economical to have some kind of envelope encryption - maybe this is the right attack vector for a malicious actor to hit?