Secure Enclave is a hardware component of modern Apple mobile devices, such as the iPhone. It is a coprocessor of the device's ARM CPU, in models S2, A7, and later A-series processors. It provides all cryptographic operations for authenticating the user and is designed to be secure even if the iOS kernel has been hacked.
Secure Enclave was developed in conjunction with Apple's Touch ID technology, which can identify a user by his or her fingerprint. They were introduced together on September 10, 2013, as part of Apple's announcement of the iPhone 5s, the first device to feature Touch ID.
How it works
- The Secure Enclave runs a dedicated microkernel and undergoes a secure boot process separate from the rest of the device. It receives its system updates independent of the other CPU components.
- When the device boots, the Secure Enclave generates an ephemeral encryption key and "entangles" it with a UID (user ID) which cannot be accessed by the rest of the CPU. This key is used to encrypt, and verify the authenticity of, the Secure Enclave's portion of the device's memory. Any data written to NAND flash storage by the Secure Enclave is encrypted by combining this entangled ephemeral key with an anti-replay counter to prevent data tampering.
- Authentication data is sent from biometric sensors to the Secure Enclave over a serial bus. The CPU facilitates this operation, but cannot read the data. The data is processed by the Secure Enclave in its encrypted memory space.
- If the Secure Enclave verifies the biometric data as authentic, it sends a message to the CPU using a "mailbox" of hardware interrupts. The CPU then permits the user to unlock or make purchases with the device.
On September 12, 2017, Apple announced that Face ID, its new biometric authentication technology featured in the iPhone X, will replace Touch ID on newer devices. On the iPhone X, Face ID stores and processes all biometric data in the Secure Enclave of its ARM A11 CPU.