Secure Enclave

The Secure Enclave is a dedicated security subsystem on the Apple system-on-chip. It runs its own operating system, has its own memory, and exposes a small interface for cryptographic operations: generating and storing keys, performing signatures, evaluating biometric matches. The keys held in the Secure Enclave never leave it; what the OS receives are signatures the enclave produces on demand.

For Macfax, the Secure Enclave is what makes a report binding to its device. The Macfax app asks the enclave to generate a per-device key, then asks the enclave to sign a fingerprint of the diagnostic data with that key. The signature can be verified anywhere, but only that specific enclave (on that specific Mac) can produce it. Move the Mac's drive, swap the case, even pull the logic-board: the enclave's keys go with it.

Every Macfax report is signed by a key held inside the Secure Enclave of the Mac that produced it, and the device-key fingerprint is published on the report (Basic and Premium both). The server verifies the signature at issuance and refuses to publish a report whose signature doesn't match. What Premium adds is the ability for a buyer to re-derive that same fingerprint on the Mac in front of them through the Macfax app, confirming the device hasn't been swapped between issuance and delivery.

Older Intel Macs without a T2 chip have no Secure Enclave; Macfax does not run on them.