Mac Pro Hands-On: Adding Additional SSD Storage Using a PCIe Slot

[theluggage]

Meaning we really do not know how things are being done inside the T2 chip. Who knows there is a backdoor

Well, what we *do* know is that your Apple Service Provider needs some sort of privileged access to the T2 chip so that they can authorise drive replacements. Sounds like a potential "back door" to me. More to the point, you, the owner, don't even get to have control of the front door key so that you can lock it away in that titanium safe just beyond the piranha tanks in your volcano headquarters.

So to the question, do you really need to lock the drive to the T2 chip to provide better security. I don't think so.

Obligatory XKCD:

I'm sure that there is some scenario whereby you could install a SSD with a malicious OS, or maybe some malicious hardware cooked up at SPECTRE HQ that would hack the T2 from within. OTOH that could be said of every component - so it seems a bit inconsistent that others have reported successful CPU upgrades (pretty major hardware tampering there) and that you can plug anything you like into the PCIe bus without first "authorising" it... That would be pretty draconian - and not for everybody - but probably necessary if you want to do it properly...

Thing is - security is a trade off between the risk of a sophisticated hack vs. the risk of accidentally losing access to your data or having extra downtime because of hardware failure. On a consumer device like an iPhone, with no user serviceable parts or software, highly likely to be misplaced and an increasing role as a payment/id tool then maybe its reasonable for Apple to take security into their own hands because the typical user is pretty useless at it, but for a "pro" product aimed at people who know what they are doing, maybe Apple should trust customers to enable as much or as little security as their work requires.

Of course, one possible reason for having the drive locked to the T2 chip might be because the technology was originally designed for iPhones and MacBooks with soldered-in SSDs?

 

[MauiPa]

Well, what we *do* know is that your Apple Service Provider needs some sort of privileged access to the T2 chip so that they can authorise drive replacements. Sounds like a potential "back door" to me. More to the point, you, the owner, don't even get to have control of the front door key so that you can lock it away in that titanium safe just beyond the piranha tanks in your volcano headquarters.



Obligatory XKCD:

I'm sure that there is some scenario whereby you could install a SSD with a malicious OS, or maybe some malicious hardware cooked up at SPECTRE HQ that would hack the T2 from within. OTOH that could be said of every component - so it seems a bit inconsistent that others have reported successful CPU upgrades (pretty major hardware tampering there) and that you can plug anything you like into the PCIe bus without first "authorising" it... That would be pretty draconian - and not for everybody - but probably necessary if you want to do it properly...

Thing is - security is a trade off between the risk of a sophisticated hack vs. the risk of accidentally losing access to your data or having extra downtime because of hardware failure. On a consumer device like an iPhone, with no user serviceable parts or software, highly likely to be misplaced and an increasing role as a payment/id tool then maybe its reasonable for Apple to take security into their own hands because the typical user is pretty useless at it, but for a "pro" product aimed at people who know what they are doing, maybe Apple should trust customers to enable as much or as little security as their work requires.

Of course, one possible reason for having the drive locked to the T2 chip might be because the technology was originally designed for iPhones and MacBooks with soldered-in SSDs?

No

like it or not, the T2 chip (designed for the Mac) ensures the attached drive cannot be removed and simply read on another computer as is the simplest hack on windows drive security. Sure you need to decrypt, but as a slave drive, this is easy with no protection like number of try limits, etc.

Do you really need security like this? That’s your choice.
Not really too much of an inconvenience to take it to someone authorized to repair/replace the drive - the incidence of failure for SSDs is really (like really, really) small. As is described you can add internal storage to your hearts content, but also add external full speed drives via TB3. So, yah!

 

[Onelifenofear]

oh the makes so much sense, thank-you. I was wondering why you could just add a drive (as in this article) or get a thunderbolt3 external drive with just as much speed. Now it makes so much sense

Except you can... You can Disable SIP in recovery mode and install a bootable OS on any drive you want. Don't use the included drives... and have it boot from a PCIE NVME or even an external thunderbolt.
[automerge]1578144695[/automerge]

As an aside....This is my point about Stupidly expensive front doors with triple locks in the top / sides and Powered deadbolts.... If someone really get into your house they'll just a smash a window round the back.

 

[Kabeyun]

The fact is, 'security' is just a cover for the real reason Apple is putting in the T2 ... to further lock down their systems and preventing the actual OWNER of the computer to have full autonomy and control over the thing they own.

Although harsh about it, you make a few good points. Right up until here. You’re suggesting that in some meeting at Apple Park a couple of years ago they came up with a nefarious plot to arbitrarily stop professionals from swapping out their Mac Pro boot drives, and it gave them all the giggles. Not well-intentioned security overkill but a random scheme to stymie customizers.

The word “fact” is already abused, so let’s not use it unless we actually have one.

 

[Onelifenofear]

The fact is, the odds of you getting your desktop computer stolen, then hacked by a person who wants your 'valuable' info is likely WAY less than the odds of you getting in a plane crash in your lifetime.

Don't know what Utopia you live in Fella. I know countless people who have had break ins and they machines hacked in the past... sometimes they GO specifically for the desktop / tower cos they know they are way less likely to have even a login!

I've had an old PC workstation stolen in the past and various accounts hacked because of it.

My Brother had his Home Gaming PC stolen and the same thing.

 

[LordVic]

I second the HighPoint 7101-A. Allegedly, you can get two of those and get up to 16TB of NVMe drives that can all be combined as 1 RAID0 array through their Cross-Sync drivers that allegedly are supported by macOS and can get R/W speeds of up to 28,000 MBs...

My brain cannot even imagine use for such throughput.

And I just recently built a RAID-10 based array with NVME drives for my database server. still nowhere near that performance and it's more than enough to handle a large banks transactional data lol.

28GB/s would just be... glorious.
[automerge]1578148457[/automerge]

What is the purpose of locking the SSD to the computer?

money.

you have to pay them for service. and you have to go into their retail which gets you in their store again.
[automerge]1578148639[/automerge]

Encryption, security. https://tidbits.com/2019/12/20/ever...-about-apple-security-but-were-afraid-to-ask/

this is all still possible without locking the system and drive together the way Apple have done it.

other PC's have had built in encryption of drives for years. TPM modules to ensure security. encryption at rest. etc.

and it's never ever needed to be tied down like Apple has done it. the T2 chip is a bad implementation that has a series of problems with it (causing crashes in some devices) with the primary intent of being Apple's "DRM"

 

[DEMinSoCAL]

Carrying the ignorance along that one would ever want to swap out an NVMe 8TB for bigger as a boot drive makes me wonder if you understand the concept behind such a machine.

Who said anything about 8TB? Doesn't the Mac Pro default to a measly 256GB NVMe drive? That's what people are going to want to swap out themselves at a cheaper cost.

 

[carlsson]

I haven’t read up about this, but just so I understand: Is it NOT possible to have the system on any other disk except on the built-in?

 

[LordVic]

like it or not, the T2 chip (designed for the Mac) ensures the attached drive cannot be removed and simply read on another computer as is the simplest hack on windows drive security. Sure you need to decrypt, but as a slave drive, this is easy with no protection like number of try limits, etc.

the thing is, this is entirely possible without the draconic measures Apple implemented in the T2 chip.

the idea that you can't put a new drive in and have it work is really nonsense from a technical implementation. There's no real reason for it.

encryption like you've said here already is possible without that lock down. both at the OS and BIOS levels. on my PC. if you take my drive out and put it in another machine, you'd never gain access to the data. But at the same time, nothing in my computer blocks me from putting in a new drive in it's place.

The security aspect of T2 is great. it's some of the choices in implementation that seem to be mroe influenced by Apple's "lock down first" mentality than actual technical reasons
[automerge]1578149343[/automerge]

Carrying the ignorance along that one would ever want to swap out an NVMe 8TB for bigger as a boot drive makes me wonder if you understand the concept behind such a machine.

base Mac Pro comes with 256GB

Upgrading to 2TB for your main drive for example would cost directly through Apple +$960 (CAD)

2TB NVME drives from retail: ~$300 (CAD).

a LOT of people are going to want to upgrade their own because of that pricing.

the T2 is being used to make that difficult with hopes they just pay Apple pricing.

 

[nylonsteel]

good video
wish i had more cash to play with it
wish i had more time to play with it

 

[Wowereit]

Having to use a PCI card to add another SSD, and not being able to just swap out the boot SSD, is very disappointing for a “modular” computer. My son’s gaming PC we built for $900 has interfaces on the ribbon cable and mount screws built into the side of the $80 case - just pop it in and plug in the cable.

I guess Apple will never ever give us the same flexibility as a Windows PC.

Are you talking about SATA? Because I doubt that your sons gaming rig is using U.2 drives.

So yeah, not comparable whatsoever. Although with Mac Pro using server components rebranded as high end workstation, U.2 would be a logical addition. Not sure why those are missing, although PCIe cards are fine.

Definitely still a better option for connecting enterprise drives than SATA (Who would use a SATA drive in a machine like that? These days they only belong into network attached storage, not local clients) or M.2.

 

[LordVic]

Are you talking about SATA? Because I doubt that your sons gaming rig is using U.2 drives.

So yeah, not comparable whatsoever. Although with Mac Pro using server components rebranded as high end workstation, U.2 would be a logical addition. Not sure why those are missing, although PCIe cards are fine.

Definitely still a better option for connecting enterprise drives than SATA (Who would use a SATA drive in a machine like that? These days they only belong into network attached storage, not local clients) or M.2.

Almost every modern motherboard for desktops comes with at least 1 M.2 SLot for PCI-E based NVME storage.



However, if that user is talking about adding storage on a "cable". than it's likely SATA and lmited to 500MB/s SATA III controller bandwidth. Which is going to be significantly slower than using their M.2 Slot in PCI-E mode

 

[kemal]

Can someone explain why - according to the figures provided in the article - the write speed of Apple's SSD within the Mac Pro (1312MB/s) is slower than the SSD within the MacBook Pro (2519MB/s for the 2018 model as reported here)?

Because it is not enough to make you feel like a fool for spending 6k on a computer with 256G(i)B. The MacPro comes with the slowest PCIe SSD available. This makes Apple toes curl as they are sadists. The fastest commonly available PCIe SSD is the Phison E16, which really does do 5GB/s in my PC.
[automerge]1578156586[/automerge]

What is the purpose of locking the SSD to the computer?

In the context of Apple, it is :

1) Profit
ibid
86) security (when someone steals your SSD but not the rest of your heavy computer)

 

[kemal]

Are you talking about SATA? Because I doubt that your sons gaming rig is using U.2 drives.

So yeah, not comparable whatsoever. Although with Mac Pro using server components rebranded as high end workstation, U.2 would be a logical addition. Not sure why those are missing, although PCIe cards are fine.

Definitely still a better option for connecting enterprise drives than SATA (Who would use a SATA drive in a machine like that? These days they only belong into network attached storage, not local clients) or M.2.

Technically, Apple are not using server components, but rather high end workstation. The 2019 mMP would be a great performer if it weren't for what AMD has at a lower price. Both WS and servers share RAM specifications.

U.2 is not a speed upgrade from PCIe M.2 SSD. It adds hot swapping, the sole reason for its use in servers. It even supports SATA.

 

[BigBoy2018]

Don't know what Utopia you live in Fella. I know countless people who have had break ins and they machines hacked in the past... sometimes they GO specifically for the desktop / tower cos they know they are way less likely to have even a login!

I've had an old PC workstation stolen in the past and various accounts hacked because of it.

My Brother had his Home Gaming PC stolen and the same thing.

I live in a modern area where we have locks on doors and standard home security cams.

I dont live in a Utopia, but rather wherever you live sounds like a hellhole of crime and danger.

 

[itguy06]

Are you talking about SATA? Because I doubt that your sons gaming rig is using U.2 drives.

No but probably NVMe which is good enough for non enterprise options and typically significantly cheaper.

Definitely still a better option for connecting enterprise drives than SATA (Who would use a SATA drive in a machine like that? These days they only belong into network attached storage, not local clients) or M.2.

SATA still has its place. It's good enough for 99% of storage needs and you can stack way more of them in a machine than NVMe because most boards run out of PCIe lanes. And you can get quite the bargain on most SATA drives.

On my PC I've got 2 NVMe drives, 2 SATA SSD's (one is an old 1TB OWC), and one MSATA drive. On most workloads you'd be hard pressed to tell the diffrerence.

 

[MacBH928]

So... what case scenario you need a $1500 drive because its "faster" than an already fast SSD? What form of work has someone transfering files within the same computer so much that it makes this worth it?

I also wonder how many units OWC sells to make this worth while manufacturing? Or is this another one of those products that is manufactured by another brand but they slap their name on it like DVD drives?

 

[BigBoy2018]

So... what case scenario you need a $1500 drive because its "faster" than an already fast SSD? What form of work has someone transfering files within the same computer so much that it makes this worth it?

I also wonder how many units OWC sells to make this worth while manufacturing? Or is this another one of those products that is manufactured by another brand but they slap their name on it like DVD drives?

This. The benefits of these super fast ssds is minimal. The big jump is going from a spinning drive to any garden variety sata ssd. After that, its a law of severely diminishing returns.

The transformational aspect of ssds comes from almost instantaneous access times, which ANY ssd will give you.

Yet that wont stop all these numbnuts from pulling out their ssd read/write test results, even though they could barely notice the difference in real world use.

 

[Bustycat]

On the new Mac Pro, is TRIM support enabled by default for third-party SSDs? If not, can a user enable TRIM support without having to use the command line?

Trim is enable by default for third-party NVMe SSDs.

 

[citysnaps]

Although harsh about it, you make a few good points. Right up until here. You’re suggesting that in some meeting at Apple Park a couple of years ago they came up with a nefarious plot to arbitrarily stop professionals from swapping out their Mac Pro boot drives, and it gave them all the giggles. Not well-intentioned security overkill but a random scheme to stymie customizers.

The word “fact” is already abused, so let’s not use it unless we actually have one.

Spot on assessment. Ignorance with respect to the T2 chip and its purpose, benefits, and limitations is running rampant here. Seems many here cannot be bothered to even read Apple's T2 technical document and rather spew a bunch of made up nonsense.

 

[RalfTheDog]

Thank you for the replies. Even after reading, I still do not understand the benefit of locking the drive to a computer. Is file vault encryption not good enough?

Mostly, it is speed. The encryption is being done by the T2 chip, at the full speed of the drive. You get a tiny bit of latency, but not much.

Windows has Bitlocker and of course Linux system has LUKS which is much more secure than Apples T2 system which is partly relying on obscurity for its security.

Bitlocker is like Apple T2 system which is partly relying on obscurity for its security. So if you are in Windows you are better off with Veracrypt. It can encrypt your boot drive and it is an open source and has been audited by 3rd party organizations.

Software encryption is very slow. This is designed for editing real time 8k video, uncompressed.

How so more than full disk encryption?

Speed and the key can not be extracted.

Done.

Don't get me wrong T2 enclave is a great technology specially managing keys by itself to avoid doing that in RAM or in CPU which might be compromised but still I can't find any good reason why you can't just plug a new drive and let T2 create a volume key for this new drive using whatever key generation it can deploy.

Aside from security through obscurity I don't like the idea that me being the owner of the data doesn't have access to the volume key but Apple has. That is a big no in digital security. But the big problem really is security through obscurity.

Apple does not have access to the key. If you want them to upgrade the drive, they must boot it using your password, then copy the data off. Then they plug in the new drive and copy it back, using your password. They don't bypass the T2 chip. They can't do it without your password. If you created a recovery key, they can use that.

My brain cannot even imagine use for such throughput.

And I just recently built a RAID-10 based array with NVME drives for my database server. still nowhere near that performance and it's more than enough to handle a large banks transactional data lol.

28GB/s would just be... glorious.





this is all still possible without locking the system and drive together the way Apple have done it.

other PC's have had built in encryption of drives for years. TPM modules to ensure security. encryption at rest. etc.

and it's never ever needed to be tied down like Apple has done it. the T2 chip is a bad implementation that has a series of problems with it (causing crashes in some devices) with the primary intent of being Apple's "DRM"

If you did not lock it down, you would wind up sending the data through the system buss. The way this works, encryption is completely transparent to the computer. No encrypted data ever touches anything north of the T2.

So... what case scenario you need a $1500 drive because its "faster" than an already fast SSD? What form of work has someone transfering files within the same computer so much that it makes this worth it?

I also wonder how many units OWC sells to make this worth while manufacturing? Or is this another one of those products that is manufactured by another brand but they slap their name on it like DVD drives?

Editing uncompressed 4k video, even more so for 8k.

 

[mk_in_mke]

Having to use a PCI card to add another SSD, and not being able to just swap out the boot SSD, is very disappointing for a “modular” computer. My son’s gaming PC we built for $900 has interfaces on the ribbon cable and mount screws built into the side of the $80 case - just pop it in and plug in the cable.

I guess Apple will never ever give us the same flexibility as a Windows PC.

Why , oh why, this type of comment was not expected... and you also have a car that can drive from one point to another and cost 1/3 the price of a Porsche, so why buying a Porsche? did you read your post prior to pressing he “post reply“ button? I mean, did you really seriously consider posting this before you effectively did?

i rest my case...

 

[zorinlynx]

Having to use a PCI card to add another SSD, and not being able to just swap out the boot SSD, is very disappointing for a “modular” computer. My son’s gaming PC we built for $900 has interfaces on the ribbon cable and mount screws built into the side of the $80 case - just pop it in and plug in the cable.

I guess Apple will never ever give us the same flexibility as a Windows PC.

If you're going to add an SSD to your computer, especially one as high-end as this one, you want to do it with the highest possible level of performance. A PCIe card is really the best way at this point.
[automerge]1578181270[/automerge]

Almost every modern motherboard for desktops comes with at least 1 M.2 SLot for PCI-E based NVME storage.

Also, just to note, they do sell PCIe to M.2 adapters, and they're cheap. So if you want to use an M.2 drive in the Mac Pro it's trivial to do so.

I'm not sure why people are trying to find overly cheap ways to add storage to this machine. If you can spend upwards of $6K on a computer, you might as well get the fastest damn storage you can and connect it with the fastest bus possible.

Maybe if Apple comes out with a less expensive "enthusiast" tower, these arguments will make a bit more sense.

 

[itguy06]

Editing uncompressed 4k video, even more so for 8k.

LOL. At 6TB for 90 minutes of uncompressed 4k footage, or 18TB for 90 minutes of uncompressed 8k storage you're not storing this on any SSD. You are doing it over a purpose built NAS or TB connected array. And then there's the wear on the SSD write cycles.

 

[Detnator]

Having to use a PCI card to add another SSD, and not being able to just swap out the boot SSD, is very disappointing for a “modular” computer. My son’s gaming PC we built for $900 has interfaces on the ribbon cable and mount screws built into the side of the $80 case - just pop it in and plug in the cable.

I guess Apple will never ever give us the same flexibility as a Windows PC.

Right, because those EIGHT PCIe slots STILL aren't enough flexibility. /s

Good grief.

Seriously... what on earth is your problem here? What is wrong with adding PCIe SSD instead of swapping out the "boot" SSD. The boot SSD is PCIe anyway.

On the one hand people are complaining that the bundled base SSD at 256GB isn't enough. On the other hand people are complaining they can't swap it out.

Let's be happy they just put a basic SSD in there as an emergency default recovery drive or whatever. The thing to fall back on if your PCIe drive faults somehow so you can at least do troubleshooting or whatever. That's better than not having anything in there at all. They could have done that. BYO SSD. So ignore it. Don't even bother using it. It's irrelevant. Pretend it isn't there. Just put whatever the hell you want in any of the 8 PCIe slots and quit complaining.

There's no pleasing some people.