hoakley September 14, 2020 Macs, Technology

Will Big Sur support the cloning of System volumes?

Catalina and Big Sur each bring major structural changes to boot disks. Big Sur builds on Catalina’s separate System and Data volumes by sealing the System using cryptographic hashes, making a snapshot of the result, then mounting that snapshot for use as its Sealed System Volume (SSV). Does that mean that Big Sur’s new SSV is impossible to clone to another disk or container?

To understand what is required to make a cloned System volume bootable in Big Sur, it’s instructive to consider the steps which macOS Installers and updaters go through. As we’ve not seen any production versions of these yet, I here look at broad concepts as described in Apple’s article about the SSV, and my own previous outline.

In both 10.15 and 11.0, the System volume has to be mounted read-write, SIP disabled, and the system files installed in their directory tree. Both also have to ensure that the correct firmlinks are made to link the System and Data volumes in the Volume Group, and install mutable system files to the Data volume.

Big Sur also has to create the hierarchy of SHA-256 hashes which form its new sealed system. These cover every file on the System volume individually, and the file system metadata, in a hierarchical structure culminating in a single top-level hash known as the Seal. That is then verified against a value which is signed by Apple, providing a chain of trust for everything in that System volume.

When that has been completed correctly, a snapshot is made of the new System volume, which is specially designated as a System snapshot and blessed. If there is more than one previous System snapshot on that volume, the old and now expired snapshot(s) should be deleted, leaving only the previous snapshot, to which macOS can roll back if needed, and the new one.

Both 10.15 and 11.0 conclude by enabling SIP and unmounting the System volume, then restarting the Mac in normal mode again. In Catalina, the System volume is then mounted read-only for use, while in Big Sur its Seal is checked first before mounting the new system snapshot.

These are summarised in this diagram.

BigSurInstall1

Making a bootable clone in Big Sur has to pass through the same basic process as that, and its pinch point is the sealing process. Currently, performing that is the preserve of two Apple tools: its system installer, and the tool asr, Apple Software Restore. Apparently at present only the first of those is working, which means that third-party software designed to work with clones can’t use asr to seal a clone, making that clone unbootable, unless the user turns off cryptographic verification of the System volume altogether.

As it happens, this isn’t as disastrous as might appear. There’s a good workaround which you can use with Big Sur until asr is fixed and Carbon Copy Cloner and SuperDuper! can clone its System volume. Instead of trying to clone the SSV, simply install a new Big Sur System volume in a container with a cloned Data volume. Ensure the installer links the new System volume with the existing Data volume by selecting the latter as the ‘disk’ on which to install macOS 11.0.

Finally, where does this leave the traditional process of repairing the System volume in Big Sur?

If any damage occurs to the files or file system of an SSV, this immediately breaks its seal, for which the only remedy is to re-install macOS 11.0. It is possible to un-seal a system to modify it, but as only the system installer and asr can seal an unsealed System volume, there isn’t a place for repair tools. Neither should there be any need, as the System volume is only mounted as a snapshot on a read-only SIP-protected volume. Any damage which it sustains isn’t likely to be minor, and more likely to be the precursor to major or catastrophic failure.

I welcome corrections to the above, should any of it be in error.

30Comments

Add yours

1

EcleX on September 14, 2020 at 8:01 am

Thanks. If the system volume is read-only and sealed, how can third-party installers install software into it? How can the user preferences for such applications be installed or configured-modified by the user?

On the other hand, if third-party repairing tools cannot repair the system volume, can Apple Disk Utility do it? If not possible and the only solution is to erase such volume and re-install macOS, does it mean also re-installing all applications that installed items in such system volume?

Last but not least, I guess that you could restore the system volume from a backup, but what if the source disk is damaged, you make backups and thus all disks (source and backups) are damaged? Such situation can be fixed with HFS+ disks now (not with APFS so far, but Alsoft has promised it in the future) rebuilding the directory with utilities like DiskWarrior.

LikeLiked by 1 person
- 2
  
  hoakley on September 14, 2020 at 8:13 am
  
  Thank you.
  1. Only Apple installers can modify the SSV. Third-party software can’t. End of story. That’s what you have the Data volume for, and is fundamentally the same as in Catalina. To understand that better, please look at my article (at the top left of my front page) explaining Catalina’s volume layout.
  2. AFAIK Disk Utility also can’t repair the SSV, even in Recovery mode. See the article above for the explanation. If the SSV becomes damaged in any way, the only solution is to re-install the system. How can a disk repair tool tell whether the damage is accidental, or the result of malicious activity? It can’t, so the only safe way ahead is to replace it with a fresh sealed system.
  3. I don’t think the SSV is normally backed up, nor should it be restorable except perhaps from a perfect clone using asr, when it works. If there’s any damage to a sealed System volume, then the seal is broken and it can’t be used.
  You suppose that directory damage can occur, hence might need repair. Can you explain to me how directory damage can occur on the SSV, when it’s an APFS snapshot which is mounted (not the volume), the whole volume is read-only, and is protected by SIP?
  Howard.
  
  LikeLike
3

EcleX on September 14, 2020 at 8:40 am

Thanks. No problem then, since the Sealed System Volume only contains items from Apple that are not modified or customized by the user. I thought that it also contained items from third-party installers, user’s preferences, etc, which should be in the Data Volume (I thought that the latter only contained personal files created by the user; you know, your work).

LikeLiked by 1 person
4

jimsugg on September 14, 2020 at 9:16 am

Very good explanation – thanks!
I want to zero in on one aspect: ‘… the old and now expired snapshot(s) should be deleted, leaving only the previous snapshot, to which macOS can roll back if needed, …’
If there is a straightforward way to roll back an update, that goes a long way to satisfying the assertion that the impossibility of restoring the system volume from a bootable clone isn’t really too bad. I have had trouble in the past where an update caused some immediate problems (it was a beta update,) and restoring from a CCCloner backup rectified the issue pretty much immediately.
Do you know yet if the ability to roll back a wayward update is going to be something that can be directly supported? Hopefully, Apple (or CCCloner, SD, etc.) will essentially provide an ‘Undo’ to immediately roll back to the previous system snapshot.

LikeLiked by 1 person
- 5
  
  hoakley on September 14, 2020 at 11:01 am
  
  Thank you.
  At the moment, we don’t know how accessible Apple will make this to the user. For the installer, it’s the fallback when the Seal fails to match that expected, which is supposed to be an automatic process. Whether it will require some command line incantations in Recovery mode, or will have an accessible method there, we won’t know until release, I suspect.
  There is a penalty of course: the snapshot will take around 10-11 GB of storage space.
  Howard.
  
  LikeLike
  - 6
    
    foo on September 19, 2020 at 8:01 pm
    
    No, it doesn’t take 10-11GB. Only the number of blocks modified by the update.
    
    LikeLike
    - 7
      
      hoakley on September 20, 2020 at 4:23 pm
      
      Fair enough.
      I look forward to macOS updates smaller than 3 GB then, unlike the betas, and a tool in macOS for discovering the size taken by a snapshot so I can know how big they are without using CCC, which probably won’t be able to report the size of System volume snapshots anyway.
      Howard.
      
      LikeLike
8

xz4gb8 on September 14, 2020 at 1:18 pm

I confess. I think I understand your explanation. C’est merveilleux.

The magic phrase for me is “Instead of trying to clone the SSV, simply install a new Big Sur System volume in a container with a cloned Data volume. Ensure the installer links the new System volume with the existing Data volume by selecting the latter as the ‘disk’ on which to install macOS 11.0.”

I can do that!

Thank you.

LikeLiked by 1 person
- 9
  
  hoakley on September 14, 2020 at 4:11 pm
  
  Thank you.
  Howard.
  
  LikeLike
10

Jerry Fritschle on September 14, 2020 at 4:03 pm

Regarding CCC, Mr. Bombich purports to be “working with Apple” on addressing the issues of asr with Big Sur. I am sure he’s weary of being asked, like the Pope to Michelangelo (or the kid asking “…are we there yet?”) 🙂

LikeLiked by 1 person
- 11
  
  hoakley on September 14, 2020 at 4:15 pm
  
  Thank you, Jerry.
  I think that means he has sent Feedback and may be in touch with the engineers responsible for asr. I’m fairly confident that Apple hasn’t asked him to help fix the problem, though.
  Howard.
  
  LikeLike
12

Rob Menke on September 14, 2020 at 10:34 pm

Howard,

I just had to do that due to the system volume developing orphan segments (my word). I’ve been keeping up with CCC and they discussed just what you’ve outlined concerning the System Volume. It worked! Thanks for the article.

LikeLiked by 1 person
- 13
  
  hoakley on September 14, 2020 at 10:58 pm
  
  Thank you.
  Howard.
  
  LikeLike
14

Samuel A. Litt on September 15, 2020 at 6:09 am

Regarding the stated workaround: “Instead of trying to clone the SSV, simply install a new Big Sur System volume in a container with a cloned Data volume. Ensure the installer links the new System volume with the existing Data volume by selecting the latter as the ‘disk’ on which to install macOS 11.0.” – Wouldn’t this necessitate re-installing all of one’s third-party applications a well?

LikeLiked by 1 person
- 15
  
  hoakley on September 15, 2020 at 6:59 am
  
  Thank you.
  No: all third-party items, even kernel extensions, are installed on the Data volume, not on the System volume, which only contains immutable Apple system files.
  Howard.
  
  LikeLike
16

QuickMik on September 17, 2020 at 3:21 am

this all sounds pretty shitty
but apple seems to do a lot that the user doesn’t want to do.

LikeLiked by 1 person
- 17
  
  hoakley on September 17, 2020 at 5:59 am
  
  Thank you.
  I’m not sure that I follow you, though.
  Howard.
  
  LikeLike
  - 18
    
    QuickMik on September 17, 2020 at 8:30 am
    
    we have to roll out ~ 1000 devices here. this is almost impossible with such measures. many years we have worked with deployment studio. this is also long dead. soon you can forget carbon copy cloner. apple wants to have all users on their servers. not everyone has a 10Gbit internet connection.
    
    LikeLiked by 1 person
    - 19
      
      hoakley on September 17, 2020 at 9:07 am
      
      Thank you.
      I sincerely hope that you’re not rolling out a beta OS to all those devices? I’m sure that asr will be fixed soon, hopefully before the first release. In any case, with that number I’d have thought that Jamf would be your friends?
      Howard.
      
      LikeLike
    - 20
      
      QuickMik on September 17, 2020 at 10:07 am
      
      of course we don’t roll out bata versions. but the ASR problem already existed under catalina (10.15.5).jamf would be my friend…but the rollout for 40 clients at the same time is also very limited over the network. i prefer to clone the SSD. but the end is (once again) near.
      
      LikeLiked by 1 person
21

Ben on September 18, 2020 at 4:30 pm

Para 6: “Both 10.16 and 11.0”. Shouldn’t that be 10.15 and 11? (i.e. Catalina and BS).

LikeLiked by 1 person
- 22
  
  hoakley on September 18, 2020 at 4:34 pm
  
  Thank you – well spotted!
  Howard.
  
  LikeLike
23

Bill on September 18, 2020 at 9:22 pm

An interesting possible performance point here:

In my day job, I have dealt with performance teams who have found that because of the way SHA hashes are calculated, for most 64-bit processors SHA-512 hashes are actually faster to calculate (and are more secure) than SHA-256 hashes.

This is because calculating SHA-256 hashes requires several operations on sub-word quantities where SHA-512 performs math on full 64-bit words, an operation that is faster on most 64-bit CPUs.

The key is whether Apple Silicon will be optimized for calculating SHA-256 hashes for just this reason.

LikeLiked by 1 person
- 24
  
  hoakley on September 18, 2020 at 10:17 pm
  
  Thank you.
  Apple has its own optimised calls for cryptographic hash calculation, which I think on T2 Macs uses the T2 chip, which is of course designed for exactly this type of task. It would be interesting to benchmark it on the two different types of hardware.
  Howard.
  
  LikeLike
25

EcleX on October 1, 2020 at 6:39 am

You said: “Will Big Sur support the cloning of System volumes?”

Perhaps this could allow it… It was just a matter of time (whatever is closed, can be opened):

Apple’s T2 Security Chip Jailbroken by Checkra1n
https://www.macobserver.com/link/t2-security-chip-jailbroken

Hackers jailbreak Apple’s T2 security chip powered by bridgeOS
https://yalujailbreak.net/t2-security-chip-jailbreak

LikeLiked by 1 person
- 26
  
  hoakley on October 1, 2020 at 9:24 am
  
  Thank you.
  The article above doesn’t mention the T2 chip, as that has nothing to do with the cloning of system volumes. I’d be grateful if you could explain the relevance of the articles to which you provide links.
  Howard.
  
  LikeLike
27

EcleX on October 1, 2020 at 7:05 am

This is in relation to my previous message posted a few minutes ago (which does not show yet, since I guess it is moderated to prevent spam):

Or to overcome this…

Mac with T2 Security Chip required to play 4K Netflix streams in macOS Big Sur
https://appleinsider.com/articles/20/09/30/mac-with-t2-security-chip-required-to-play-4k-netflix-streams-in-macos-big-sur

LikeLiked by 1 person
- 28
  
  hoakley on October 1, 2020 at 9:25 am
  
  Yes, when you post comments which contain a lot of links to other sites, Akismet suspects that they are spam, and I have to be able to take them out of the spam, having checked that none of the links is malicious.
  And I still don’t understand what relevance this has to cloning System volumes in Big Sur.
  Howard.
  
  LikeLike
  - 29
    
    EcleX on October 1, 2020 at 11:26 am
    
    Thanks. I thought that they could be related to cloning. In any case, I guess that it has relevance for the Netflix part. And maybe to turn off the T2 encryption-decryption, if the Mac user wants that.
    
    LikeLiked by 1 person
    - 30
      
      hoakley on October 1, 2020 at 2:54 pm
      
      I don’t think so. What has been described to ‘jailbreak’ the T2 chip isn’t the sort of thing that users will do at home. And the penalty for getting it wrong is bricking that Mac, requiring to have a complete new logic board. That’s hardly the sort of risk to run just to get Netflix 4K.
      And what I have explained above about cloning is the result of the new SSV in Big Sur, which applies to all macOS 11 installations, regardless of whether there’s a T2 chip present.
      Howard.
      
      LikeLike