hoakley August 30, 2018 Macs, Technology

Booting the Mac: bless, and what makes a volume bootable

The last piece in the puzzle that is the booting of a Mac is understanding how any given volume is made bootable, and how it can be made the next startup volume.

This used to be simple, before the advent of SIP, APFS, and Secure Boot in the T2, and came down to a single very complex command bless. That could:

write the information to the volume header which declared that volume as being bootable;
set the two NVRAM variables efi-boot-device and efi-boot-device-data to make any bootable volume the next startup disk;
prepare a volume so that it could be made bootable, by copying boot.efi to the right place;
configure the Mac to boot not from a local volume but from a server, using NetBoot;

and more. You can see why bless is complex to use.

Now, the only use of bless which you should be happy with, unless you really know what you’re doing, is
bless --info
which returns information about the current boot settings, such as
finderinfo[0]: 325985023 => Blessed System Folder is /System/Library/CoreServices finderinfo[1]: 342576416 => Blessed System File is /System/Library/CoreServices/boot.efi finderinfo[2]: 0 => Open-folder linked list empty finderinfo[3]: 0 => No alternate OS blessed file/folder finderinfo[4]: 0 => Unused field unset finderinfo[5]: 325985023 => OS X blessed folder is /System/Library/CoreServices 64-bit VSDB volume id: 0x[omitted]
The numbers given for each of the lines in the boot settings are the file system inode numbers, which are more persistent than the conventional paths which they resolve to. macOS here uses inode numbers instead of paths; you can use my free utility Precize to explore inodes and their relatives.

Try this command on a Mac booted from an APFS volume, and you’ll be disappointed: you either have to run it with privileges as
sudo bless --info
or after mounting the preboot volume, which rather defeats its purpose, perhaps. You’ll then be given the inodes and paths to the Blessed System File and Folder on that preboot volume, and the Blessed Volume for the container should be given as the root path, /.

If you use any of its other options, there is always the risk that you will render that Mac unbootable (at least temporarily), so you should be extremely cautious.

Making a volume bootable is a task which the user very seldom has to do. When you install macOS on a volume, the installer should do that for you as part of the service. If you use a tool such as Carbon Copy Cloner or SuperDuper to clone an existing bootable volume, one of its options should be to make that cloned disk bootable by blessing it. Only if that fails, or if you are trying to perform this task by hand, should you ever need to use the bless command in anger. When you do, study its man page very carefully and make sure that you get the command right.

The first blow to bless came in macOS 10.11: one of the side-effects of SIP is that it shouldn’t be used to try to set the startup disk. Its replacement is systemsetup -setstartupdisk if you need to do this at the command line. Only that doesn’t work in T-2 equipped iMac Pro models, which apparently require you to enter Recovery mode and disable SIP before you can use the command. Secure Boot is another issue which can limit what you can do with bless, an issue which is still being explored, as far as I can tell.

Additionally, bless is currently suffering from a bug which makes it incompatible with APFS containers on Apple RAID arrays: it is unable to find the Preboot volume in that case, and cannot set the container up as being blessed.

Before you try blessing any volume, you should ensure that it has what it takes to be a boot volume too. Normally, on a non-T2 Mac booting from an HFS+ disk, it needs a boot loader at /System/Library/CoreServices/boot.efi. A helper partition is normally used when a disk is encrypted using HFS+ FileVault 2, or the storage device requires additional drivers, such as an external RAID array.

On a non-T2 Mac booting from an APFS disk, the boot loader should be in the path [UUID]/System/Library/CoreServices/boot.efi on the special Preboot volume /dev/disk1s2.

One final requirement which is sometimes forgotten, but which can stop any of this from happening, is that the hardware – the Mac’s interface and the drive enclosure (for external disks) – must support booting that Mac. Some drive cases offer connections such as USB 3 or Thunderbolt which cannot be used to boot through, even though many other external drives use the same connection very successfully. This affected some who tried to install early betas of macOS Mojave on external drives, for example, although in most cases the installation failed. Changing the interface used and the connection can often work around these quirks.

15Comments

Add yours

1

Robert Hancock on August 30, 2018 at 8:26 pm

Thanks for giving this bless command Preboot volume bug with APFS RAID some coverage—perhaps it will shame Apple into fixing it. There is a school of thought that this is a deliberate move by Apple to prevent RAID booting for security purposes—I’m not sure how valid that argument is. I’ve emailed both Federighi and Cook pleading for a fix but they almost never answer emails, so I’m not holding my breath.

LikeLiked by 1 person
- 2
  
  hoakley on August 30, 2018 at 8:28 pm
  
  Thank you for drawing my attention to it.
  It will be interesting to see how many of these bugs get fixed in the final release in a few weeks – it’s not long to the Golden Master, I would have thought.
  Howard.
  
  LikeLike
3

Booting the Mac: bless, and what makes a volume bootable – Firmware Security on August 30, 2018 at 9:32 pm

[…] Booting the Mac: bless, and what makes a volume bootable […]

LikeLike
4

rogparish on September 1, 2018 at 11:38 am

Bless doesn’t appear to work on Fusion drives, either.

Melmoth:~ rparish$ bless –info
Could not interpret boot device as either network or disk
Can’t interpet EFI boot device

LikeLiked by 1 person
- 5
  
  hoakley on September 1, 2018 at 11:41 am
  
  Try sudo?
  
  LikeLike
6

rogparish on September 1, 2018 at 11:43 am

Nope, no joy!

Melmoth:~ rparish$ sudo bless –info
Password:
Could not interpret boot device as either network or disk
Can’t interpet EFI boot device

LikeLike
- 7
  
  hoakley on September 1, 2018 at 11:44 am
  
  Is that APFS? In Sierra it works fine on HFS+.
  
  LikeLike
  - 8
    
    rogparish on September 1, 2018 at 12:54 pm
    
    No, it’s a roll-your-own Fusion drive in a 2012 MacBook Pro, running High Sierra 10.13.6.
    
    My Fusion:
    
    Available: 601.1 GB (601,104,936,960 bytes)
    Capacity: 982.5 GB (982,504,833,024 bytes)
    Mount Point: /
    File System: Journaled HFS+
    Writable: Yes
    Ignore Ownership: No
    BSD Name: disk2
    Volume UUID: 31C412EE-67E0-3207-8F6A-3F89F0F2B05A
    Logical Volume:
    Revertible: No
    Encrypted: No
    LV UUID: 5094FB7F-5DA3-494E-9761-E7C0040E1598
    Logical Volume Group:
    Name: FUSION
    Size: 989.01 GB (989,010,051,072 bytes)
    Free Space: 41 KB (40,960 bytes)
    LVG UUID: FEF85176-B1E5-4598-96BE-2F9319389278
    Physical Volumes:
    disk0s2:
    Device Name: OWC Mercury Electra 6G SSD
    Media Name: OWC Mercury Electra 6G SSD Media
    Size: 239.71 GB (239,713,435,648 bytes)
    Medium Type: SSD
    Protocol: SATA
    Internal: Yes
    Partition Map Type: GPT (GUID Partition Table)
    Status: Online
    S.M.A.R.T. Status: Verified
    PV UUID: 571D7075-60E1-4B3E-A3B3-5361200FFFEC
    disk1s2:
    Device Name: APPLE HDD HTS547575A9E384
    Media Name: APPLE HDD HTS547575A9E384 Media
    Size: 749.3 GB (749,296,615,424 bytes)
    Medium Type: Rotational
    Protocol: SATA
    Internal: Yes
    Partition Map Type: GPT (GUID Partition Table)
    Status: Online
    S.M.A.R.T. Status: Verified
    PV UUID: C61BB9B8-2AE1-401E-8AB5-AA03FCF4727B
    
    LikeLiked by 1 person
    - 9
      
      hoakley on September 1, 2018 at 1:05 pm
      
      Ah. It works fine with Apple Fusion Drives, though. Quite what the difference should be, I don’t know.
      Howard.
      
      LikeLike
10

Mike Richardson on June 2, 2019 at 3:13 pm

Is preboot required to be /dev/disk1s2? On my system its /dev/disk1s4 and I am having problems.

LikeLiked by 1 person
- 11
  
  hoakley on June 2, 2019 at 3:31 pm
  
  I don’t know, but I’ve not seen any different. If you’re having problems, would it be worth backing everything up and starting from scratch again? You’d probably need to do this in Remote Recovery, or booted from a USB installer drive.
  Howard.
  
  LikeLike
12

Me Me on June 6, 2019 at 6:14 am

Would you write a blog entry on the last paragraph? I have found that Apple support has tried to be helpful but they don’t know how to answer the question of “what is required from an external enclosure to boot Mac OS?” Before I buy an expensive external NVMe Thunderbolt drive, I thought that a simple USB-C 3.1 Gen 2 enclosure with UASP would bridge the gap. It turns out that I can only get my Mac to boot with the USB-C to USB-A cable but not the USB-C cable connected to the Thunderbolt 3 port AND TRIM/UNMAP is not supported via USB on Mac OS. Is there something special on the Mac with regards to Thunderbolt security as other systems, like Dell, require BIOS changes to boot from the Thunderbolt port.

LikeLiked by 1 person
- 13
  
  hoakley on June 6, 2019 at 6:20 am
  
  Thank you.
  I wish I could, but it appears completely unpredictable. macOS – even Catalina – don’t require any changes, although if your Mac has a T2 chip, you may well need to changes in Secure Boot settings in Recovery mode to allow booting from an external drive.
  One thing it should never require is any drive utility software, as is often supplied by external drive suppliers: they often cause more problems that they’re worth.
  But yes, it depends on the cable, the interfaces used, and the external drive firmware itself. I don’t know of any way to predict which work, and which don’t. I’d love to hear of one too, as I run betas from an external SSD, and it’s always a bit of gamble as to whether I’ll need to use my external Thunderbolt 3 dock, or just connect the drive directly.
  Howard.
  
  LikeLike
  - 14
    
    Me Me on June 6, 2019 at 9:44 pm
    
    Thank you for the feedback! I have to say your blog is just fantastic and is a real must for power Mac users. Does anyone have success with specific external NVMe Thunderbolt devices OR external USB enclosures that work for boot? Better yet, is there a website that lists this?
    
    LikeLike
    - 15
      
      hoakley on June 6, 2019 at 9:54 pm
      
      I don’t know that anyone has collected that information. I have a couple of Crucial SSDs in Ineo T3 cases which work fine, although they did have problems with early betas of Mojave a year ago and I had to hook them up to a T3 dock for it to boot reliably from them.
      Howard.
      
      LikeLiked by 1 person

·Comments are closed.

Share this:

Related