(no title)

"Unique ID (UID) - A 256-bit AES key that’s burned into each processor at manufacture. It cannot be read by firmware or software, and is used only by the processor’s hardware AES engine. To obtain the actual key, an attacker would have to mount a highly sophisticated and expensive physical attack against the processor’s silicon. The UID is not related to any other identifier on the device including, but not limited to, the UDID." - https://www.apple.com/ipad/business/docs/iOS_Security_Feb14....

> "To obtain the actual key, an attacker would have to mount a highly sophisticated and expensive physical attack against the processor’s silicon."

This is not true if the UID is generated in some way that allows pilfering by the manufacturer.

> So, generating a list of PUF outputs for all 10,000 4-digit numeric passcode would take Apple ~14 minutes--and it must be done on each device.

The threat model here is not Apple, but the manufacturer. In this case the options I mentioned earlier would allow very fast attacks that could be launched selectively at target devices later on.

> Of course, this is all a moot point, as none of this is verifiable (at least, to me and you).

Definitely not verifiable of falsifiable by you or by me. I would suggest however that the claims and reputation of the Secure Enclave is not deserved. Finally, in crypto, skepticism is a feature.