Booting the Mac: loading boot.efi and Secure Boot

Once a Mac has cleared its initial self-test routines (POST), and key custom chips like the SMC or T2 are running, the next step is to load the EFI firmware. This in turn prepares the Mac to load and run the kernel, together with its extensions, which then provide all the basic facilities for the rest of macOS.

In most recent Mac models, the boot loader is a file named boot.efi which is stored in a set location on the startup disk. Before that can happen, the Mac has a lot to do in what Apple refers to as BootROM. Among the hardware which has to become accessible are the following:

SMC/T2 chip;
NVRAM for many settings;
audio output for POST sounds (not recent MacBook Pro models);
basic display output;
external USB or integral keyboard, to detect startup keys being held and react accordingly;
internal and external storage devices, in turn requiring internal SATA/NVMe support, and external USB and Thunderbolt ports;
Wi-Fi and/or ethernet networking.

In addition to initial self-test, key processes which take place during the BootROM phase are:

detection of the T key to enter Target disk mode;
determining whether a firmware password is set; if so, handling password entry and validation;
detection of the Option key and running Startup Manager, to allow the user to select a startup disk/device;
when booting from an encrypted HFS+ disk (FileVault 2), displaying the login interface to prompt for the user’s password and initiate decrypted access;
detection and enumeration of disk devices and their partitions, and selection of the startup disk and operating system;
implementing the current security setting for Secure Boot on models with a T2 chip.

On a non-T2 Mac booting from an HFS+ disk, the boot loader is the file named boot.efi in /System/Library/CoreServices, on the startup volume. When the startup disk is encrypted using HFS+ FileVault 2, Apple’s Boot≠Root technology boots from a non-root partition. The same approach is used when the root partition is on a device which requires additional drivers, such as an external RAID array which may rely on a kernel extension for access. This stores the files needed to boot in a helper partition.

On a non-T2 Mac booting from an APFS disk, the boot loader is the file named boot.efi on the Preboot volume /dev/disk1s2. This is found in a folder named by UUID, which in turn matches the root volume, in the path /System/Library/CoreServices again.

Secure Boot

Only available on Macs equipped with a T2 chip, this is controlled in Startup Security Utility, which is available in Recovery mode. It supports three different levels, with the additional choice of whether to allow booting from external storage:

Full security, in which a signature is made of the boot loader and other components using a security certificate supplied by Apple online, at macOS installation time. Before loading boot.efi, its signature is compared against the value saved in NVRAM. If the signature doesn’t match, integrity information is downloaded from Apple, you can reinstall macOS, or lower the security level; if it matches, then boot.efi can be loaded, and startup proceeds normally.
Medium security, in which checks only ensure that boot.efi and the macOS or Windows to be loaded is properly signed by Apple/Microsoft. If this fails, you can reinstall macOS/Windows or use a different startup disk.
No security, in which a normal boot process is used, with no added security checks.

Several steps in Secure Boot expect to be able to contact Apple servers when they are running integrity checks. Although there are fallbacks in each case, Secure Boot works best when the Mac is connected to the internet.

With the basic services running and boot.efi located and (where necessary) approved, the Mac then loads it, and enters the EFI phase proper, which I will describe in the next article.

References

Apple’s Kernel Programming Guide, covers macOS up to about 10.7.
Apple on Secure Boot.
twocanoes on SecureBoot and the 2017 iMac Pro.
Duo Labs on iMac Pro and Secure Storage.
mikeymikey on the Secure Boot process.

6Comments

Add yours

1

meckernburg on August 10, 2018 at 2:42 pm

Thanks for that. As far as I can tell, as well as enabling wired keyboards at an early stage, the firmware makes a shot at connecting to a known Bluetooth keyboard. In my experience, it’s a bit hit-and-miss: most times, a start-up key combination from a Bluetooth keyboard is registered; but sometimes it’s not. Wired is more dependable.

LikeLiked by 1 person
- 2
  
  hoakley on August 10, 2018 at 3:03 pm
  
  Thank you.
  I think Bluetooth is highly dependent on model (and firmware), and which startup keys – because I don’t think it is available until after the boot loader has loaded.
  So startup keys for Target mode and Startup Manager, which are I think detected during the BootROM phase, can’t be detected on a wireless keyboard, but those for Recovery mode can be, as they are detected later.
  In practice, I think it’s worth switching to a wired keyboard, e.g. by plugging an Apple rechargeable keyboard in using its charging cable, whenever you need to use a startup combination, as you then know that all startup keys will work. I have had Macs sail straight through into a normal startup when I wanted Recovery or diagnostics, but had forgotten to connect to USB.
  Howard.
  
  LikeLike
3

Booting the Mac: loading boot.efi and Secure Boot | Firmware Security on August 10, 2018 at 5:14 pm

[…] Booting the Mac: loading boot.efi and Secure Boot […]

LikeLike
4

Robert Hancock on August 10, 2018 at 10:44 pm

In relation to boot.efi, there is a serious bug in the bless command that occurs when installing either High Sierra or any of the Mojave betas on an Apple APFS boot RAID slice. This bug is serious because it PREVENTS an OS install, which is about as bad as it can get for a user.

It first occurred more than a year ago in HS and has now slipped into the Mojave betas.

The SuperDuper devs have pinned down what they believe the cause is for High Sierra installs and have described it at https://www.shirt-pocket.com/blog/index.php/shadedgrey/comments/so_many_rabbit_holes_so_little_time/.

The relevant line is:
“The code that’s having problems is in BLCreateBooterInformationDictionary.c in Apple’s Open Source bless project. After some additional investigation, it looks like, in this case, if the APFS container is on an Apple RAID, bless can’t find the Preboot volume and doesn’t properly set up the container.”

Although this bug only affects a small subset of Mac RAID users, they are the group that tend to use iMacPro and Mac Pro models, so a problem like this could easily impact sales of the iMacPro and new 2019 Mac Pro.

LikeLike
5

Greg on April 11, 2019 at 4:58 am

Have a laptop that intermittently or completely fails to boot (has been repaired twice already and follows a path of stubbornness before completely dead). When stubborn, takes multiple attempts over 5-10 minutes or so (no particular pattern of coming back after resetting SMC, PRAM, etc). When it fails to boot, no backlight, Apple logo, external display, or response to key to select target disk. Only response is a ramping of the fans (takes a few seconds to become audible).

With these symptoms and your very useful information, my read on this is that the failure must be in hardware. Am I missing something? Is there any possibility that OSX or software on my hard drive is causing these failures to boot?

LikeLike
- 6
  
  hoakley on April 11, 2019 at 5:51 am
  
  You should certainly eliminate hardware problems before going any further.
  I presume that running Diagnostics returns a normal result code? And that Apple’s advanced diagnostics (e.g. in a Genius Bar) also fails to find a hardware issue?
  Unfortunately intermittent hardware faults can be very tough to identify.
  Otherwise, it’s back to a clean install and see if that solves it.
  Which model and version of macOS?
  Howard.
  
  LikeLike

Share this:

Related