[bri3d]

Keeping a victim device unlocked when the lock state is responsible for encryption key state is a totally legitimate risk.

With that being said, I don’t think Apple see this specific part as a security critical component, because the calibration is not cryptographic and just sets some end point data. Apple are usually pretty good about using cryptography where they see real security boundaries.

[echelon]

Don't invent reasons for Apple to continue to have a stranglehold over their monopoly of critical computing infrastructure.

Companies as big as Apple and Google that provide such immensely important platforms and devices should have their hands tied by every major government's regulatory bodies to keep the hardware open for innovation without taxation and control.

We've gone from open computing to serfdom in the last 20 years, and it's only getting worse as these companies pile on trillions after trillions of nation state equivalent market cap.

[astrange]

The government regulators also have an interest in knowing the laptops they buy for eg the NSA have authenticated parts to avoid supply chain attacks.

If you're selling cell phones you already spend plenty of time satisfying regulators and vendors from all over the world. The cell phone companies aren't the ones with power here. (In general tech people have no political power because none of them have any social skills.)

[cwillu]

Because the NSA is buying used laptops?

[swiftcoder]

Supply chain attacks don't generally target the second hand market. Much more effective to upstream your attack to the vendor Apple buys parts from in China, and compromise every MacBook in one fell swoop

[astrange]

That's too discoverable to work. Supply chain attacks are by state actors who can interrupt specifically your order on its way to you and silently replace parts in it.

[arcticbull]

It doesn't need to be encrypted if it's one-time programmable. The calibration data is likely written into efuses which are physically burned and cannot be reset.

[bri3d]

The sensor and its data stream would need to be authenticated, though.

[arcticbull]

For the mic cut-off? My understanding is that it outputs an electrical signal that's routed to the audio codec that literally prevents the audio from getting to system memory in the same way a physical switch would. It autonomously, at an electrical level, disconnects the mic without OS or software intervention. As it cannot be programmed again, you would have to crack open the laptop and modify the PCB to override it.

[bri3d]

Oh, I understand now - you're right, OTP sensor data does protect against a real threat model I hadn't considered before:

* A remote attacker gains whatever privilege lets them get to the sensor SPI. * Without OTP calibration, the attacker could reprogram the sensor silently to report a different endstop, keeping the machine awake and the hard-cuts active. * With OTP calibration, this is closed.

So perhaps it is more security-related than I initially thought.

I was more considering the counterfeit part / supply chain / evil maid scenario, where the fact that Apple's sensors are OTP is meaningless (since a replacement sensor doesn't need to be, plus, you could just put a microcontroller pretending to be a sensor in there since there's no actual protection).

Thanks, you made me think again and figure it out!