Once a Mac has cleared its initial self-test routines (POST), and key custom chips like the SMC or T2 are running, the next step is to load the EFI firmware. This in turn prepares the Mac to load and run the kernel, together with its extensions, which then provide all the basic facilities for the rest of macOS.
In most recent Mac models, the boot loader is a file named boot.efi which is stored in a set location on the startup disk. Before that can happen, the Mac has a lot to do in what Apple refers to as BootROM. Among the hardware which has to become accessible are the following:
- SMC/T2 chip;
- NVRAM for many settings;
- audio output for POST sounds (not recent MacBook Pro models);
- basic display output;
- external USB or integral keyboard, to detect startup keys being held and react accordingly;
- internal and external storage devices, in turn requiring internal SATA/NVMe support, and external USB and Thunderbolt ports;
- Wi-Fi and/or ethernet networking.
In addition to initial self-test, key processes which take place during the BootROM phase are:
- detection of the T key to enter Target disk mode;
- determining whether a firmware password is set; if so, handling password entry and validation;
- detection of the Option key and running Startup Manager, to allow the user to select a startup disk/device;
- when booting from an encrypted HFS+ disk (FileVault 2), displaying the login interface to prompt for the user’s password and initiate decrypted access;
- detection and enumeration of disk devices and their partitions, and selection of the startup disk and operating system;
- implementing the current security setting for Secure Boot on models with a T2 chip.
On a non-T2 Mac booting from an HFS+ disk, the boot loader is the file named boot.efi in /System/Library/CoreServices, on the startup volume. When the startup disk is encrypted using HFS+ FileVault 2, Apple’s Boot≠Root technology boots from a non-root partition. The same approach is used when the root partition is on a device which requires additional drivers, such as an external RAID array which may rely on a kernel extension for access. This stores the files needed to boot in a helper partition.
On a non-T2 Mac booting from an APFS disk, the boot loader is the file named boot.efi on the Preboot volume /dev/disk1s2. This is found in a folder named by UUID, which in turn matches the root volume, in the path /System/Library/CoreServices again.
Only available on Macs equipped with a T2 chip, this is controlled in Startup Security Utility, which is available in Recovery mode. It supports three different levels, with the additional choice of whether to allow booting from external storage:
- Full security, in which a signature is made of the boot loader and other components using a security certificate supplied by Apple online, at macOS installation time. Before loading boot.efi, its signature is compared against the value saved in NVRAM. If the signature doesn’t match, integrity information is downloaded from Apple, you can reinstall macOS, or lower the security level; if it matches, then boot.efi can be loaded, and startup proceeds normally.
- Medium security, in which checks only ensure that boot.efi and the macOS or Windows to be loaded is properly signed by Apple/Microsoft. If this fails, you can reinstall macOS/Windows or use a different startup disk.
- No security, in which a normal boot process is used, with no added security checks.
Several steps in Secure Boot expect to be able to contact Apple servers when they are running integrity checks. Although there are fallbacks in each case, Secure Boot works best when the Mac is connected to the internet.
With the basic services running and boot.efi located and (where necessary) approved, the Mac then loads it, and enters the EFI phase proper, which I will describe in the next article.
Apple’s Kernel Programming Guide, covers macOS up to about 10.7.
Apple on Secure Boot.
twocanoes on SecureBoot and the 2017 iMac Pro.
Duo Labs on iMac Pro and Secure Storage.
mikeymikey on the Secure Boot process.