Macbook cold boot/evil maid attack protection with Lockdown Mode

In this article Sun Knudsen talks about a way to protect Mac computers from cold boot attacks by running

sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25 standbydelaylow 0 standbydelayhigh 0

to tell macOS to 1) destroy password when computer goes to standby mode, 2) to store the content of the RAM to the hard drive and power off the RAM (which clears its data) and 3) to enable standby mode immediately when battery is put to sleep.

my question is is this protection still necessary with lockdown mode enabled? which, relevant to this, means to “connect your Mac laptop with Apple silicon to an accessory, your Mac needs to be unlocked and you need to provide explicit approval”?

after writing this out im assuming the answers is “yes it will help if the attack does not use the accessory ports”?


I don’t see the correlation.

There is nothing mentioned about this in the lockdown specs you shared. So I would assume it is not part of it.

Now destroying keys in memory is a good thing. But I am a bid confused because the key should be stored in the TPM or as apple calls it SE. This runs on a decicated DRAM (SoC) that is tamper proof. A cold boot attack is therefore very unlikely to succeed.
Cold boot attacks are only possible if you have the means to relatively quickly freeze the memory or wiretap it. These to me seems unfeasible in this set up.
If you break the tamper usually a liquid is exposed that destroys the chip (I am not familiar with apples design here). Also apples hardware is soldered so it requires you to heat the chip to desolder it. That will make the contents of the DRAM wipe quicker.

All in all, nice theory and probably won’t hurt to enable this, but necessary, I guess not.

im aware lockdown mode doesnt do the same thing, but as it blocks accessory port use while lcoked i thought it might help somewhat in these attacks.

the trade off seems to be between the annoyance of entering password every time (instead of touchid, and the potential of snooping this brings) and the small delay while the RAM is loaded up again each time, vs being secure from someone copying the encryption key from the RAM.

but if the key is in the secure enclave like you say then it might not be worth it?