hoakley November 30, 2020 Macs, Technology

Is Big Sur’s system volume sealed?

The most important security feature in Big Sur is its new Sealed System Volume (SSV), which locks away all immutable system files with an ingenious method for preserving their integrity. So how can you check whether your Big Sur System volume is correctly sealed?

If your Mac is an Intel model, then I’m afraid that utilities such as System Information or Disk Utility don’t seem to know. Things are a bit different on an M1 Mac, which I’ll return to later. One perhaps obvious way to see the status of each volume, including the SSV, is using the Terminal command
diskutil apfs list
only what you then see may lead you to think that something has already broken the seal on your Mac’s SSV.

ssv01

So the System volume at disk3s1 (your numbers may differ) has a broken seal?

To understand why that’s perhaps the wrong question, we need to step through how Big Sur creates the SSV in the first place. During system installation, the whole system is created on the System volume. Once complete, and protected by SIP, the installer then creates the Merkle tree of hashes up to the Seal, the one hash to rule them all, and makes a snapshot. The tree of hashes and its Seal are then stored in the file system metadata which make up that snapshot. The sealed snapshot is then mounted and the System volume itself is unmounted.

So it’s not the System volume which is sealed now, but that snapshot. Scroll down a little and you’ll see that there’s separate information given about that.

ssv02

That snapshot, which is mounted as the root /, is sealed after all. That crucial piece of information appears to have been omitted from other locations in Big Sur when it’s running on an Intel Mac.

This is slightly less confusing when viewed on an M1 Mac: in System Information, select the Controller item in the Hardware section, and you’ll see, under Boot Policy:
Signed System Volume: Enabled
which I presume is synonymous with Sealed System Volume.

Those same security settings are given in my free utility SilentKnight too.

ssv03

There is a more specific informative command available on both Intel and Apple Silicon Macs which gives a clear answer:
csrutil authenticated-root status
which should return
Authenticated Root status: enabled
to settle the matter.

But what’s currently shown on Intel Macs, and in diskutil, remains far from clear. Hopefully in a future version of Big Sur, Apple will put our minds more at ease.

Thanks to Sarah Edwards @iamevltwin for asking the question.

30Comments

Add yours

1

Michele Galvagno on November 30, 2020 at 9:13 am

Very informative, thanks! Have you ever written about FileVault in general? Its pros and cons?

LikeLiked by 1 person
- 2
  
  hoakley on November 30, 2020 at 10:02 am
  
  Thank you.
  FileVault isn’t much of a topic any more, with T2 and M1 Macs, as they all have boot disk encryption enabled permanently. So the only choice is whether you additionally protect it with your own password, which is also hardly a choice – the answer is yes.
  For external disks, the issue is whether they contain sensitive data which needs to be protected, which is very much a user choice.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Michele Galvagno on November 30, 2020 at 10:11 am
    
    Awesome, I never wanted to delve into that.
    For external drives, is FileVault a thing or are there other ways to encrypt it? Not that I need it right now but…
    
    LikeLiked by 1 person
    - 4
      
      hoakley on November 30, 2020 at 10:17 am
      
      If it’s not a bootable disk, simply format the volume using APFS Encrypted. Personally, I prefer encrypted sparsebundles which don’t occupy the whole volume, but as volumes share free space, even that isn’t an issue. FileVault 2 is for whole disk encryption, which you want if you’re going to boot from that disk.
      Howard.
      
      LikeLiked by 1 person
    - 5
      
      Michele Galvagno on November 30, 2020 at 10:29 am
      
      Thank you so much!
      I’ll soon prepare that new SSD for TM backup in Big Sur, do you suggest to have it AFPS Encrypted as TM app suggests?
      
      LikeLiked by 1 person
    - 6
      
      hoakley on November 30, 2020 at 1:57 pm
      
      That depends on whether you have sensitive data in your backups which need to be protected. If you do, then encrypted backups are the best way to do that. I don’t normally encrypt mine, though.
      Howard.
      
      LikeLike
    - 7
      
      Michele Galvagno on November 30, 2020 at 2:03 pm
      
      Same here, so I won’t. Thanks a lot!
      
      LikeLiked by 1 person
8

henkpoley on November 30, 2020 at 1:18 pm

Could it be that your SilentKnight checks for some (English) strings from executed commands?

Since SilentKnight 1.14 for me, gives a yellow exclamation sign for Platform Security. But al the subcategories basically say the same thing as in the above screenshot, just in Dutch (what they speak in The Netherlands).

Maybe execute the commands with LANG=C.UTF-8 ?

LikeLiked by 1 person
- 9
  
  hoakley on November 30, 2020 at 1:52 pm
  
  Thank you. I’m sorry about that: yes, it parses several results from shell commands. I don’t know how I can set the environment in which they’re executed to return the results in English, though, as they’re called from Swift rather than shell scripts. I’ll see what I can discover.
  Howard.
  
  LikeLike
- 10
  
  hoakley on November 30, 2020 at 5:13 pm
  
  Thank you. I have located a way to set that environment variable. This won’t appear in the next release of SilentKnight, I’m afraid, but hopefully in a week or so when I’ve had a chance to implement and test it properly.
  Howard.
  
  LikeLike
11

henkpoley on November 30, 2020 at 1:45 pm

`silnite` crashes on my M1 MacBook:

henk@MBPvanHenkPoley silnite5 % arch -x86_64 ./silnite
zsh: illegal hardware instruction arch -x86_64 ./silnite
henk@MBPvanHenkPoley silnite5 % ./silnite
zsh: trace trap ./silnite

LikeLiked by 1 person
- 12
  
  hoakley on November 30, 2020 at 1:53 pm
  
  I’m sorry about that. I will look into it.
  Howard.
  
  LikeLike
- 13
  
  hoakley on November 30, 2020 at 5:12 pm
  
  Thank you: yes it will. I need to build a new version to be compatible with the M1 Macs.
  Howard.
  
  LikeLike
  - 14
    
    henkpoley on December 1, 2020 at 5:21 am
    
    Do you need me to put backtracked somewhere? Would that just be starting it with gdb, run, bt?
    
    LikeLiked by 1 person
  - 15
    
    henkpoley on December 1, 2020 at 5:28 am
    
    Ah, of course silnite is logged in Console crash logs. Here’s one: https://pastebin.com/p9CKQyjB
    
    But there are no debug symbols. So it’s not that useful.
    
    LikeLiked by 1 person
    - 16
      
      hoakley on December 1, 2020 at 8:35 am
      
      Thank you. I know what I need to do, and will get to it when I can.
      Howard.
      
      LikeLike
17

TheBloke on December 1, 2020 at 5:32 pm

Thanks for the info. What I’m still trying to understand why many/most people have “Sealed: Broken” against the main filesystem, while also having “Snapshot Sealed: Yes”.

Have you figured out why many people – including yourself – have “Sealed: Broken”, while some others do not? I have Sealed: Broken, and so have most of the people I’ve asked. But a cople do have “Sealed: Yes” on the system. All of us are on Intel-based Macs.

I’d love to understand a bit more about why the filesystem seal may or may not be broken, and whether it actually affects anything as long as “Snapshot Sealed: Yes”

LikeLiked by 1 person
- 18
  
  hoakley on December 1, 2020 at 6:44 pm
  
  Thank you.
  It doesn’t matter about the volume: it’s unmounted, and therefore inaccessible. It’s the snapshot which is the active system, and all that you should worry about. So long as that’s sealed, the SSV is intact and secure.
  Howard.
  
  LikeLiked by 1 person
  - 19
    
    tjobbins on December 1, 2020 at 7:03 pm
    
    That’s great, thanks very much for confirming that.
    
    LikeLike
20

Michael Tsai - Blog - Is Big Sur’s System Volume Sealed? on December 2, 2020 at 9:59 pm

[…] Howard Oakley: […]

LikeLike
21

Week 49 – 2020 – This Week In 4n6 on December 6, 2020 at 8:53 am

[…] Howard Oakley at ‘The Eclectic Light Company’Is Big Sur’s system volume sealed? […]

LikeLike
22

luposian on December 14, 2020 at 9:43 am

On my M1 Mac Mini, I am trying to create a bootable external drive. But everything I’m trying (to install Big Sur 11.0.1) is failing. The external drive has only one occupied folder and all others are empty.

LikeLiked by 1 person
23

Foo on December 16, 2020 at 8:50 am

Anytime the volume is mounted writable, the seal will be broken. Likely the Software Update system mounted the volume and that broke the seal (note it doesn’t even have to modify any files or metadata). No worries, with APFS snapshots, the system can revert to the snapshot that you are booted from and go forward from there. Heck, if a file failed to be patched because of a bit flip in DRAM they could reset the volume and start over if they implemented that logic…

LikeLiked by 1 person
- 24
  
  hoakley on December 16, 2020 at 9:19 am
  
  Thank you.
  But the seal which is checked during boot isn’t that on the volume, it’s that on the snapshot which is being mounted to provide the system, isn’t it? And that’s the point of this article.
  It’s interesting that many users are reporting that their volume seals are broken, and many are reporting that it’s not. So that clearly isn’t important to macOS.
  Howard.
  
  LikeLike
  - 25
    
    Foo on December 16, 2020 at 11:44 pm
    
    Correct, the system will check the seal on the snapshot, but if the volume has not been mounted since the last snapshot, they should both report as Sealed (snapshot and source volume). In the cases where they aren’t, an entity (likely software update) must have mounted it writable once to ‘break’ the seal…
    
    LikeLiked by 1 person
    - 26
      
      hoakley on December 16, 2020 at 11:55 pm
      
      Erm, I don’t think that’s correct.
      I updated to 11.1 when it was released. I restarted my iMac Pro this afternoon, since when Software Update (or anything else) hasn’t gone near my System volume. Currently, diskutil apfs list reports my unmounted System volume disk5s5 has a broken seal, but the active snapshot of macOS disk5s5s1 mounted at root is sealed.
      Are you saying that command is giving the wrong information?
      Howard.
      
      LikeLike
27

porg on February 10, 2021 at 12:14 am

Thanks a lot for this! I had been worried that the seal of my startup disk was broken and wondered why my Mac nevertheless booted without complaint or intervention. Now after this information, I know that in “diskutil ap list” I had simply looked at the wrong place (the System volume) instead of the right place (its latest snapshot).

LikeLiked by 1 person
- 28
  
  hoakley on February 10, 2021 at 12:31 am
  
  Don’t worry: if the seal is broken, your Mac throws you into Recovery to install macOS again.
  Howard.
  
  LikeLike
29

glennfleishman on March 24, 2021 at 6:03 pm

Thanks for this and other excellent posts. Have you found a list of which apps are in the sealed volume? I have to do some digging, I imagine. Disk Utility and Activity Monitor, for instance, I assume are in the sealed side, while anything Apple manages from the App Store, like Keynote, obviously cannot be.

LikeLiked by 1 person
- 30
  
  hoakley on March 24, 2021 at 6:09 pm
  
  Thank you.
  The list is easily seen: in the Finder, select the path Macintosh HD/System/Applications to see them. The list is essentially the standard bundled apps, but excludes Safari, which is on the Data volume for ease of updating, apparently. Only many of its essential WebKit and other components are on the System volume, which means that both have to be updated in practice, leading to even larger updates. Ho hum.
  Howard.
  
  LikeLiked by 1 person