ARM doesn't have a concept of anything like the management engine, but remember it's just an ISA and actual SoC implementations like from Qualcomm, Samsung, Apple, Amazon, etc. are free to add their own logic and side controllers.

Which I feel like Apple does do? When I turn my iPhone off, it says it’ll still be able to be found using find my phone…

That's different. It's a feature where Apple deliberately keeps some components running after shutdown, in a very low-power way, and provides an option to turn that off. Those components (the Bluetooth chip, for example) are all strictly separated from each other by IOMMUs.

Intel Management Engine is very different. It's basically another CPU within your real CPU, running its own software with no visibility to the main OS, and it has (AFAIK) full access to other components. If it's compromised, or has a factory backdoor, you're 0wned.

The closest thing to Intel IME that the iPhone has, is the baseband, which can run its own code. But if I'm reading marcan correctly (https://news.ycombinator.com/item?id=30393283), modern iPhones/Android phones all use IOMMUs to isolate that (with the exception of a few so-called "free/libre" phones). The IOMMUs can be easily inspected from the OS to make sure they're correct, so it's just not a concern, unlike IME.

The baseband doesn't have control over the application (main) processor the way IME does, however, and Apple is rightfully distrustful of Qualcomm's security and the two are fairly stringently separated. What a baseband (or WiFi controller) rootkit can do, however, is intercept all your network traffic, and inject exploits for software bugs in the main OS.

Thank you for this break down. I appreciate the distinction.

not the same at all. Trustzone is a special mode of the very same main CPU (more like intel's SMM), whereas PSP and ME are a separate core

More specifically, trustzone is the arm equivalent of Intel's (mostly deprecated) sgx.

https://en.m.wikipedia.org/wiki/Software_Guard_Extensions

Note that Apple M-chips don't have TrustZone or anything equivalent.

Are those CPUs documented enough so that we can be 100% sure of that?

How do we know that the foundry didn't insert anything Apple doesn't know about?

I would expect apples quality control processes to pick this up. They’re so closely involved in the chip design process that it’s hard to imagine Apple’s engineers are debugging wouldn’t notice something was amass.

Not to mention the technical challenge of quickly understanding and editing Apple’s designs from the limited information that is shared with the foundry.