hoakley January 14, 2021 Macs, Technology

M1 Macs radically change boot and recovery

Make yourself an external bootable disk for an Intel Mac and what you get is essentially the same as on its internal storage. It has two partitions, one the traditional EFI in FAT32 format, the other an APFS container within which are the boot Volume Group and the Recovery volume, as shown in the lightly revised diagram below.

The same is true for an external bootable disk for an M1 Mac, which comes complete with its EFI partition and the single container with its boot Volume Group and a volume named Recovery too. But that’s very different from the structure and contents of that M1 Mac’s internal storage. Thanks to some deeper exploration by Hector Martin of the Asahi Linux project, and some spade work with diskutil, we can now make a bit more sense of what’s on that internal storage, and why it’s so different from what we’ve come to expect.

When you boot an M1 Mac into its new Recovery Mode, it isn’t using the Recovery volume from the standard boot container at all, but what Apple calls 1 True Recovery (1TR) from the Apple_APFS_Recovery container, something which doesn’t exist on an external bootable disk. Many of its features, notably its Startup Security Utility which you can use to change the security policy, are only available in 1TR. As that can’t exist on an external bootable disk, and its command line equivalent bputil is largely limited to 1TR, it’s the internal storage which really controls that Mac, even when it’s booted from an external disk.

The three containers on an M1 Mac’s internal storage have distinct functions.

The first, Apple_APFS_ISC, is the iBoot System Container (iSC), and supports the iBoot firmware in the early boot process, as well as providing trusted storage for the Secure Enclave within the M1 SoC. Like the two other containers, it can have designated ‘booter’ and ‘recovery’ volumes, indicated in the above diagram by an asterisk • next to the volume name. Here, the iSCPreboot volume is the designated booter, and the empty Recovery volume is for recovery. The xART (volume name) or xarts (volume mountpoint) volume provides trusted storage, while the Hardware volume contains hardware-related files such as logs and activation data.

The Apple_APFS_Recovery container is dedicated to providing 1TR, which is stored on its Recovery volume. This includes a second part of iBoot and all that’s necessary for the M1’s full Recovery Mode. That Recovery volume is designated for recovery, but this container doesn’t have a separate booter volume.

The normal boot container Apple_APFS isn’t quite the same as that on an Intel Mac either: one subtle but significant difference is that the Data volume isn’t named Macintosh HD – Data, but simply Data. If you use code which relies on finding the Data volume by name, you’ll need to check whether that still works. Although this container still has a Recovery volume, this is more limited and can’t access security policy, for example.

If you’re unfortunate enough to completely wipe your M1 Mac’s internal storage, the only way to recover it is to restore the whole firmware and software image in DFU mode with Configurator 2. When that’s done, as far as your Mac and Apple are concerned, it’s effectively a new Mac and has to undergo full setup from scratch.

When you start up an M1 Mac from an external disk, the first part of the boot process still runs from internal storage and the iBoot System Container, so that it establishes saved security policy. However, a separate policy is saved for each system install. This makes it possible to engage a different policy when booting from an external disk from that for the internal SSD, and for alternative systems installed on the internal storage too.

For those wanting to dual boot an M1 Mac, it changes the process markedly. The iSC and 1TR containers on internal storage provide boot support and recovery for older versions of macOS which are installed. This is much cleaner than on Intel Macs, where each version has its own Recovery volume, which can lead to confusion and error. On the other hand, it’s reliant on the iSC and 1TR remaining backward-compatible with older versions of macOS, a problem which might become apparent with macOS 12 later this year.

This ingenious new boot process does have consequences, though. Failure of internal storage means failure of the whole Mac, which can’t then boot from an external disk, which lacks the essential iSC and can’t provide 1TR either. I think this is already true for Macs with T2 chips, with their single security policy, rather than one for each bootable operating system as in the M1. I suspect it’s also, in part at least, responsible for the lack of an Internet Recovery Mode in M1 Macs.

This explains the differences in what you see ‘mounted’ in the /System/Volumes folder on Intel and M1 Macs: what are real volumes in separate containers on the M1 Mac’s internal storage are only shadowed folders to an Intel model.

As alternative operating systems, like Asahi Linux, start arriving for M1 Macs, we’ll start seeing them use the potential of these new features.

Postscript:

I can see the consequences of iSC and 1TR only existing on internal storage are causing some conceptual problems. Perhaps the simplest way to consider this is that they are effectively part of the M1 Mac’s firmware: to boot, either from any disk or to 1 True Recovery, the M1 Mac has to load from iSC, or iSC+1TR. Just as you can’t copy/clone/backup firmware to another disk, so you can’t with iSC or 1TR.

37Comments

Add yours

1

EcleX on January 14, 2021 at 8:26 am

Thanks for the interesting article. You said “Failure of internal storage means failure of the whole Mac, which can’t then boot from an external disk”. Is it then possible to i) erase the contents of such internal booting disk using Disk Utility or other application; and ii) then try to restore from a backup?

LikeLiked by 1 person
- 2
  
  hoakley on January 14, 2021 at 9:55 am
  
  Thank you.
  Maybe I’m missing something, but if the M1 Mac’s internal storage has failed, how can you boot it to run any utilities like Disk Utility?
  Howard.
  
  LikeLike
  - 3
    
    EcleX on January 14, 2021 at 10:35 am
    
    I meant to boot from other disk and then format-erase the other disk with problems that cannot boot. Should that be possible? Thanks.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on January 14, 2021 at 10:39 am
      
      The only ‘other disk’ would be an external disk. As this article explains, you can’t boot an M1 Mac solely from an external disk. The early part of the boot process is performed from the iSC container, and the whole of 1TR is on the internal storage alone.
      So how could you boot from an external disk?
      Howard.
      
      LikeLike
  - 5
    
    EcleX on January 14, 2021 at 4:17 pm
    
    Thanks. I think that I did not explain properly. I meant to boot any Mac from any disk and then access (via Target Disk Mode or other way) the disk with problems in the other Mac to erase it. And then restore contents from backup.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on January 14, 2021 at 4:33 pm
      
      Ah. You might like to look back at this article which examines M1 Target Disk mode. It’s run over SMB, so you can exchange files but can’t run remote apps or command tools on the M1.
      Any other suggestions that don’t involve booting the M1 with the failed SSD?
      Howard.
      
      LikeLike
  - 7
    
    EcleX on January 14, 2021 at 5:45 pm
    
    Thanks. Then, I guess that it is not possible to erase-format the failed Mac disk booting from other Mac or disk using any version of Mac operating system, including older ones (Mac OS X 9 Classic, etc). I wonder if that could be possible booting from other operating system like Windows or Linux, to access the failed disk and erase it. Could that be somehow possible? If so, how?
    
    LikeLiked by 1 person
    - 8
      
      hoakley on January 14, 2021 at 6:00 pm
      
      No. There is no way to do that, except by removing the SSD from the Mac by desoldering it and installing it in another device. Which destroys your logic board and (most probably) the SSD too.
      I’m open to better suggestions, but IMHO there aren’t any.
      The internal SSD controller is the Fabric in the M1 chip itself. Without booting at least the first part of the boot firmware, it can’t access the SSD. To proceed any further with the boot process, it needs to access the iSC container, which is stored on the SSD.
      Howard.
      
      LikeLike
  - 9
    
    EcleX on January 14, 2021 at 7:57 pm
    
    Thanks. I guess that probably Apple could fix or erase such disks (if they can be technically repaired, of course) in their Apple Store premises, using special equipment. Maybe also authorized dealers in the future.
    
    LikeLiked by 1 person
    - 10
      
      hoakley on January 14, 2021 at 8:10 pm
      
      I very much doubt it. As with T2 Macs, the practice is to replace the logic board, which is expensive. Apple then sends the old logic board back to a factory where it’s fault-checked and, if reusable, is repaired and used as an exchange unit for another repair.
      The simple remedy is to try DFU with Configurator 2 from another Mac: if that works, and the internal SSD appears fine, then you can carry on using that Mac. If the M1 Mac won’t even enter DFU mode, then it has to go back to Apple.
      Howard.
      
      LikeLike
11

alberic on January 14, 2021 at 10:33 am

Thanks for all your research about Big Sur. The disk layout becomes more and more intricate. What does this mean for backup software whose goal is to restore the contents of an entire boot disk (like CCCloner)?

LikeLiked by 1 person
- 12
  
  hoakley on January 14, 2021 at 10:37 am
  
  Thank you. Although you’d have to ask Mike Bombich for the definitive answer, as far as I’m aware only the normal system container can be cloned or restored. The iSC and 1TR containers can’t be copied, or written except as part of the image which can be restored using Configurator. In that respect, they function as if they’re firmware.
  Howard.
  
  LikeLike
  - 13
    
    almue on January 14, 2021 at 2:10 pm
    
    That’s what I suspected. However from a hardware point of view, these partitions can be corrupted and the Configuration option is rather arcane…
    
    LikeLiked by 1 person
    - 14
      
      hoakley on January 14, 2021 at 3:23 pm
      
      Thank you.
      Again, the concept of firmware is probably a good comparison. The two crucial containers are in separate partitions on an SSD, with (I think) a combination of SIP and permissions to protect them. So yes, it is physically possible, but the chances of that happening are remote.
      If it were to happen, unlike with Intel Mac firmware, all the user has to do is restore using Apple Configurator. Admittedly that requires a second Mac, but that can be any Mac running Big Sur. For those without that second Mac, it should take around 15 minutes in an Apple store.
      Howard.
      
      LikeLike
15

sanstudio on January 14, 2021 at 9:21 pm

This discussion is frankly above my head… but in simple terms, does this mean that a _completely_ failed SSD means that the M1 Mac is bricked?

Disturbing if true, because (although I’ve not yet had to deal with a worn-out SSD), over the years I’ve resurrected a couple of Macs with dead internal boot-spinning-drives by booting from an external backup drive, or even from an installer optical disc (in the very old days). Luckily I live in a city that has an Apple Store, but what about people who don’t, or whose warranty/AppleCare has expired? They’re just SOL?

LikeLiked by 1 person
- 16
  
  hoakley on January 14, 2021 at 9:40 pm
  
  I think that depends on what you mean by “completely failed”. SSDs are different in this respect from rotating hard disks. Hard disks are beautiful examples of precision engineering, but inherently unreliable. They tend to develop bad spots on the disk over time, in a slow failure mode, before failing totally at the end of their life. SSDs generally work fine, or they fail completely and have to be replaced.
  Both can of course suffer soft corruption, but that’s recoverable. In the case of an SSD with a major soft error, all you have to do with an M1 Mac is restore from another Mac running Configurator, and that’s something a user or Apple store can do in a matter of 15 minutes or so – it’s much quicker than reinstalling macOS.
  If an SSD has undergone hardware failure, then there’s nothing else you can do with it except replace it. As SSDs are now soldered in, and in any case aren’t the types which a regular user is able to replace, that requires a replacement logic board, whether that’s an Intel or M1 Mac.
  So the idea of resuscitating a ‘dead’ Mac with an internal SSD depends on the cause of its death. Not being able to boot it from an external disk isn’t as bad as it might seem, and if you can use Configurator, you should be able to handle all the recoverable soft failures anyway.
  Howard.
  
  LikeLike
17

Michael Tsai - Blog - macOS 11.2 Beta 2 Adds Full Custom Kernel Support on January 14, 2021 at 9:50 pm

[…] Howard Oakley: […]

LikeLike
18

sanstudio on January 15, 2021 at 1:30 am

I have the impression Backblaze is the most quoted source for information about drive failure patterns and rates, so I just looked at their article on SSD failures. Not sure if you allow links here, but the article is at: https://www.backblaze.com/blog/how-reliable-are-ssds/

They seem to say that SSDs often give some warning before failure, and they list some of the warning signs. They also point out that a common SSD warranty period is 5 years, so they would expect many of them to last about that long — which is OK because most computer users replace their machines every three years. Really? I didn’t know that. I’m still happily using a 10-year-old Mac Pro, although it would have been discarded long ago if I hadn’t been able to replace the failing drives inside (with new HDs and SSDs) a few times over that period. And it was easy to replace them, and it’s easy to boot externally too.

I also can’t see any security need for Apple to make the M1s impossible to boot externally if the internal SSD is totally dead. My understanding of all this is admittedly quite limited, but it seems like if the internal drive were dead, a bad guy couldn’t read any of the private data in it anyway. Plus the SSD is probably encrypted, right? So why this limitation? (I realize you already explained the physical/technical reason for the limitation, I’m questioning why they didn’t work around it in some way.)

I’ve been seriously mulling buying an M1 mini to replace my old Mac Pro tower, since although it works fine, its days are probably numbered. (And I can’t run the newest, shiniest software on it.) But this whole issue of non-repairable and non-externally-bootable Macs makes me very nervous.

LikeLiked by 1 person
- 19
  
  hoakley on January 15, 2021 at 10:23 am
  
  Thank you.
  That’s quite different from the graceful degradation which happens over years with hard disks, which is what I’m referring to. Even new hard disks often have a bad block or two, and over years of use they tend to accumulate a few. I’m not aware of that happening with modern SSDs, are you?
  If the SSD in an M1 Mac is totally dead, you need to replace it. There’s a lot of speculation about how long modern SSDs last in normal (i.e. non-cloud-server) use, but I think it’s safe to assume that the vast majority will still be going strong after 10 years, which is considerably longer than the average internal hard disk.
  I used to run a Pegasus RAID hard disk system here, and routinely replaced my hard disks every 3 years or so. I now have two external SSD SSD arrays (neither in RAID now), and certainly won’t be doing that with them, even if the cost of SSDs were to fall dramatically. Instead, I’m looking to replace them when they’re around ten years old, maybe even later according to their usage figures.
  Failure of SSDs is very different from that of electro-mechanical hard disks.
  Finally, M1 Macs aren’t non-repairable at all. They are externally bootable, but still require their internal SSDs. So your last sentence isn’t in the least bit accurate, is it?
  Howard.
  
  LikeLike
20

Rocky on January 15, 2021 at 6:43 am

I’m probably dense, but a complex SSD layout with iSC and 1TR is better than dedicated “firmware” storage … how exactly?

LikeLiked by 1 person
- 21
  
  hoakley on January 15, 2021 at 10:25 am
  
  Thank you.
  Have you ever heard of the many problems of updating firmware in Intel Macs? Can you revert any Intel Mac to an older version of firmware?
  Howard.
  
  LikeLike
22

traveller on January 15, 2021 at 7:09 am

Ok, so instead of a chip with NVRAM, we have bootstrap code stored on the hard disk. One could argue that storage is storage, so why not? Except in this case, I could perhaps accidentally nuke my BIOS with a disk utility. Outch.

So the question is, what’s the design benefit gained from this seemingly riskier configuration (not to mention the loss of the super-cool internet recovery function)? Cost savings?

LikeLiked by 1 person
- 23
  
  hoakley on January 15, 2021 at 10:27 am
  
  Thank you.
  Please explain how, in an M1 Mac, you might “accidentally” wipe its internal SSD with “a disk utility”?
  Also, assuming you had done that, what’s to prevent you from restoring it using Configurator in around 15 minutes?
  Howard.
  
  LikeLike
  - 24
    
    traveller on January 15, 2021 at 5:36 pm
    
    Good afternoon – I can’t say, to be honest; I haven’t played with an M1 Mac yet. However, with an Intel Mac, if, for instance, one doesn’t know the password for one’s encrypted disk, one can choose, in recovery mode, to simply wipe the entire disk, leaving it booting to a flashing-folder-with-a-question-mark. On the Intel Mac, one can then use Internet recovery to fix that. It sounds like, with an M1 Mac, one would need a second Mac — not something everyone has — or a trip to the shop.
    
    That seems like a step backward, leaving me puzzling about the advantage is of this design.
    
    LikeLiked by 1 person
    - 25
      
      hoakley on January 15, 2021 at 6:35 pm
      
      Thank you.
      You’re assuming that there’s an identical feature on the M1 models, and then condemning them because of that?
      In my exploration of 1 True Recovery on my M1 Macs, I can’t say that was an aspect which I looked at. However, if you were to format the internal SSD in 1TR Disk Utility, I think you’d find that it only erased the macOS partition, and not the iSC or 1TR containers. In any case, that’s a deliberate act, not an accident.
      The Intel Mac gets away with that precisely because there is Internet Recovery available, although I’m not sure that it does wipe the Recovery or Preboot volumes, which I think are still required for Internet Recovery.
      I think the only way that you can completely wipe the internal SSD of an M1 Mac is from Configurator, and that’s performed as part of a restore, which installs the selected firmware, iSC, 1TR and macOS partitions from the image. One obvious advantage of that is that you can downgrade them all if you wish, something not currently possible on Intel models. So if you find that you’ve got problems running macOS 11.n in 15 minutes you can restore the whole of macOS 11.n-1 complete with its firmware. You simply can’t do that on an Intel Mac.
      Howard.
      
      LikeLike
    - 26
      
      hoakley on January 15, 2021 at 11:48 pm
      
      This evening I had a little look in 1TR. Disk Utility doesn’t show the iSC or 1TR partitions, and makes clear that you can’t touch them, even to resize them, for example. I didn’t try formatting the whole disk, but from what I see you can’t remove those two partitions in 1TR. And if you could, it’s hardly going to be accidental either.
      Howard.
      
      LikeLike
27

Denis on January 16, 2021 at 7:06 am

Actually Disk Utility in 1TR on my M1 Mac allows me to format the whole internal SSD to anything expected there including MS-DOS with MBR scheme. I didn’t try it out of course but all the pop-up menus in the Erase options dialog are active.

LikeLiked by 1 person
- 28
  
  hoakley on January 16, 2021 at 7:15 am
  
  Thank you. Yes, I too looked at those options but didn’t try them.
  Now think: where’s that copy of Disk Utility you’re using running from? Yes, it’s in the 1TR. So that’s one open app in a container which can’t be erased, can it? And where’s the still loaded boot code? It’s in the iSC partition, which therefore also can’t be erased as it has open files, I suspect.
  I think if you try it you’ll discover that Disk Utility refuses to change the partition format and preserves those two partitions/containers. I could be wrong, as I haven’t actually tried it here.
  In any case, I’m sure that if you were able to do that there’d be plenty of warnings. So not exactly an accident, which was the original supposition.
  And even if you can completely wipe the internal SSD, all you then need is 15 minutes restoring it using Configurator – it’s not a ‘return to Apple’ event.
  Howard.
  
  LikeLike
29

Alexis Brondum on January 22, 2021 at 3:39 pm

Hi

Dual boot with 2 BigSur installed on internal ssd

– split the ssd into 2 partitions
– install 11.1 on each partition
– Why, so my work and private os is sepparated (like I have it on my Intel mac)

I made a try with my old m1, but diskutil f*cked up the ssd, (it became twice the size 🙂 so apple sent me a new m1 mac (it was forever bricked !, the M1 Mac’s internal storage did fail)

Im damn careful now, the firmware/boot/etc seem to be very different from Intel macs … (your diagrams confirmed that)

macos admin user and password seem to be stored in the firmware.
That why im asking so i dont f*ck up everything when installing bigsur on the other partition … overwriting the other partitions user/pw !

/Alexis

LikeLiked by 1 person
- 30
  
  hoakley on January 22, 2021 at 6:49 pm
  
  Thank you.
  I’m not sure that I’d choose to do that, but would prefer to boot from an external disk for one of your systems.
  That said, you can adjust the size of the macOS partition using Disk Utility in Recovery, in the normal way, to add another partition. I wish you success with it – please report how your get on.
  Howard.
  
  LikeLike
31

Alexis Bröndum on January 25, 2021 at 7:19 am

Hi

The M1 Mac became weird after I partitioned the internal SSD, purple squares started to appear on the screen.
To test I connect an external ssd and marked that as boot in “StartupDisk”, restarted … but the boot aborted and started over again, power off and tried to boot on the internal disk and … “!” support.apple.. appeared :(, revive commad in Configurator2 failed, so I had to restore the M1 😦

I get the feeling that Apple don’t really support external boot either (so much problems)

Thinking about when beta 12.0, and a million M1 users want to try macOS 12.0 🙂

The M1 boot is a disapointment, all that security thinking has gone haywire on the M1 boot.

So I will continue the software development on my iMac, and use the M1 to test apps 😦

btw

The error message that Configurator2 gave me that the Apple Support guy said the SSD was borken on my first (replaced) M1 was
NSPOSIXErrorDomain – 0x1c (28) (same as when an iPhone internal memory fails)
Apple sent me a new m1 a 6weeks ago.

/Alexis

LikeLiked by 1 person
- 32
  
  hoakley on January 25, 2021 at 8:50 am
  
  Thank you.
  No, external boot is supported. At present there is a problem making some external disks bootable, but I think that’s a bug/issue in the installer, and not any fundamental block.
  However, it isn’t clear whether repartitioning your internal SSD is supported yet. It’s not something I’d want to try on this Intel Mac running 11.1. It’s far simpler to use an external bootable disk, which is reliable, as it can be for an M1.
  Howard.
  
  LikeLike
33

Barry Sharp on May 8, 2021 at 9:33 pm

This article explains to me the method for setting a different Security policy for different bootable devices/volumes. At first when booting up to Recovery mode and selecting to use the Startup Security Utility I got very confused as it ask to select the device for which user want to setup the Security policy. I was thinking the Security policy is a fixed configuration being held in the M1, security enclave hardware and as such was used for every bootable device. Now I see/undersatnd there can be a different security policy for all the internal & external boot devices.

This aspect is very important if for one bootable volume the user wants to add trusted 3rd party extensions. However, I’m finding this to be problematic as even with Reduced Security allowing trusted 3rd party extension to be loaded for an external device, I simply cannot get the trusted 3rd party extension loaded. This is affecting my use of the Promise Pegasus storage devices I have as they require a special extension and driver software. I can install the driver code but not the extension, and thus cannot access the Pegasus units…. this is a real bummer for me.

LikeLiked by 1 person
- 34
  
  Barry Sharp on May 8, 2021 at 9:39 pm
  
  BY THE WAY – The way I create my bootable volumes for my M1 mini, is to user either latest SD! or CCC v6 and clone just my Data volume to the external device. Then I boot the M1 mini into Recovery mode and select to Install Big Sur. After this, the external is bootable without issues, and using the Startup Security Utility, can configure the Security policy I require.
  
  LikeLiked by 1 person
  - 35
    
    hoakley on May 8, 2021 at 9:49 pm
    
    Thank you. Although some claim that this has a higher chance of success, that’s essentially the same as running the full installer app, only from within Recovery Mode. Unless you want to change the security policy, I’m not sure what advantage it has.
    Howard.
    
    LikeLike
- 36
  
  hoakley on May 8, 2021 at 9:47 pm
  
  Thank you.
  I presume that the kernel extension in question is a Universal binary? If so, you’ll need to contact the developer to check with them whether it’s M1 compatible, and how to install it. As you know, kernel extensions are now deprecated, and they’re very hard to get installed properly on M1 Macs. Only their host app should really be handling that, not the user.
  Howard.
  
  LikeLike
37

An M1 Mac Can’t Boot from an External Drive If Its Internal Drive Is Dead - TidBITS on May 31, 2021 at 1:10 pm

[…] published in February 2021 (and updated this month). Plus, I had read Howard Oakley’s article “M1 Macs radically change boot and recovery,” which interpreted some of the obscure aspects of new boot policy for M1-based Macs. Howard and […]

LikeLike