Comment by grahamj
16 hours ago
I don't believe it's the SE itself that encrypts user data so it must already be the case that the key is generated outside the SE, sent to it for storage, and is retrieved if the user is authenticated.
So the difference between Apple generating the key on device and storing it in the SE and the user generating it and storing it in the SE is that the user can use a known-secure key generation algo. If Apple generates the key you can't be sure it's cryptographically secure and doesn't have a backdoor.
The SE’s AES engine line encrypts and decrypts data to flash, and the SEP is responsible for generating all keys.
At this point, the people who claim they can’t trust Apple’s key generation should also distrust Intel or AMD or any other vendor’s key generation as well. Might as well generate keys by hand.