hoakley May 21, 2021 Macs, Technology

M1 Secure Boot, morphine and self-destruction

It’s well known that M1 Macs offer three levels of boot policy:

Full Security, which normally means a ‘proper’ installation of the same (or more recent) version of macOS as is on the internal SSD;
Reduced Security, such as a ‘proper’ installation of an older version of Big Sur, such as 11.2.3, when the internal SSD is running 11.3.1;
Permissive Security, which is anything else permitted, including custom builds of an XNU kernel.

If you enter RecoveryOS and open Startup Security Utility, though, you’re only offered the first two in its window. This article goes in quest of Permissive Security and why you don’t want to use it. Ever.

Apple drops us a clue or two in the latest, revised edition of its invaluable Platform Security Guide (which now also works in non-US English: hurrah!). There it states:
“It isn’t possible to downgrade to Permissive Security from the Startup Security Utility app. Users can downgrade only by running command-line tools from Terminal in recoveryOS, such as csrutil (to disable SIP). After the user has downgraded, the fact that it’s occurred is reflected in Startup Security Utility, and so a user can easily set the security to a more secure mode.”

So if you want to disable SIP on an M1 Mac, you have to downgrade that bootable disk to Permissive Security, and disabling SIP appears to be one way of doing that. Presumably other ways, such as unsealing macOS, are similar. For convenience, I explain this further in the Postscript below.

Apple does provide a command line tool for working with M1 boot policy: bputil, which perhaps should have been named morphine, as it’s powerful, extremely dangerous, potentially addictive, and ultimately could lead to self-destruction. A bit like Caravaggio too.

This impression is confirmed when you read bputil‘s man page. Its preamble reads:
“This utility is not meant for normal users or even sysadmins. It provides unabstracted access to capabilities which are normally handled for the user automatically when changing the security policy through GUIs such as the Startup Security Utility in macOS Recovery. It is possible to make your system security much weaker and therefore easier to compromise using this tool. This tool is not to be used in production environments. It is possible to render your system unbootable with this tool. It should only be used to understand how the security of Apple Silicon Macs works. Use at your own risk!”
Each time that you use bputil, you’re told exactly the same, before it does anything for you.

If you’re brave or foolish enough to read any further, you’ll discover that you specify the bootable OS using the APFS Volume Group UUID. So there doesn’t appear to be any way of slipping a version of macOS or any other operating system past M1 boot policy unless it runs from an APFS Volume Group. Among many other factors, this explains why you can’t (yet) boot an M1 Mac into any other operating system. It’s far simpler to run Linux or Windows in a virtual machine, as Parallels Desktop already does. Asahi Linux will be different, though, when it’s ready.

There is, though, one use for bputil which some advanced users will appreciate: the command
sudo bputil -d
in Terminal will provide intimate details of all currently recognised boot disks for that authorised user. You can use the same (without sudo) in Terminal in RecoveryOS.

If there’s more than one bootable macOS Volume Group available, bputil will invite you to select one from a list of UUIDs:
This computer has several macOS installations: 1: 6A516FF1-2AB9-45BD-941A-EEA5568570BF 2: CF3EE91B-D9F8-430C-B5B3-13886470F1FC Pick a macOS installation (1..2):

There follows a long list of information about LocalPolicy for that installation, among which I draw attention to the following:

Full Security enabled – when absent, this means that Full Security is in force;
SIP enabled – when absent, this means that SIP is enabled;
Signed System Volume enabled – when absent, this means that the SSV is intact and required for booting;
Boot Args filtering enabled – when absent, this means that non-standard boot arguments aren’t allowed;
3rd party kexts disabled – when absent, this means that third-party kernel extensions aren’t permitted.

But whatever you do, you can rest assured that merely typing the characters bputil will instantly disable any support that your M1 Mac was signed up for. Damn, there goes my AppleCare again.

Postscript

Comments suggest that my explanation of Permissive Security above isn’t clear enough, so I’ll explain what I understand from Apple’s documentation.

While a user may opt for Reduced Security as a choice, perhaps so that they can run an older version of macOS or enable third-party kernel extensions, Permissive Security (PS) isn’t normally something you’d choose – it’s thrust upon you when you make other choices which aren’t compatible with either of the more normal security levels. To do so, you need to use a command tool whose consequences include the change of level.

One example of these, specifically given by Apple, is disabling SIP on a bootable disk. SIP is an essential part of both Full Security and Reduced Security, so should you turn SIP off using csrutil, macOS will automatically set that boot disk to PS for you. I presume that, as keeping the Bootable Volume Group sealed is another requirement of the two higher security levels, unsealing the system on a bootable disk also inevitably leads to its LocalPolicy being set to PS, although Apple doesn’t explain that.

So PS isn’t the choice that you’d be making in those cases, but a consequence of another choice, and before you could upgrade the security level you’d have to reverse the downgrade that you’d made to its security, for example by enabling SIP again. However, as you can’t re-seal an unsealed System, that appears to be a one-way street.

I hope that makes the situation (as I understand it) a little clearer. For users who might need to disable SIP to delete some protected files, which is a not uncommon reason, this appears to make the process even more daunting.

32Comments

Add yours

1

Michele Galvagno on May 21, 2021 at 10:32 am

Wait… are you saying that merely typing that command in Terminal voids your AppleCare coverage? Is there any warning about it?

LikeLiked by 1 person
- 2
  
  hoakley on May 21, 2021 at 11:39 am
  
  I have absolutely no idea what Apple Support would say if you contacted them and admitted that your bricked M1 resulted from experimenting with bputil. I suspect they’d put you on hold while they all had a good laugh, and once the tears had stopped rolling down their cheeks, they’d suggest that you might like to fix it yourself using Configurator to perform a full restore, perhaps?
  I don’t think that bputil is capable of causing irreparable harm, but at worst you may need to un-brick the M1 using Configurator. If you don’t have a second Mac capable of doing that, then I have no idea whether AppleCare would pay the carriage for your Mac to return and be un-bricked. But then I suspect anyone who did brick their M1 using bputil would make up a different story rather than tell the truth.
  But you can’t say that bputil doesn’t warn you of its potentially dire consequences. Please don’t try this at home!
  Howard.
  
  LikeLiked by 2 people
  - 3
    
    Michele Galvagno on May 21, 2021 at 11:40 am
    
    Oh, I would never dare!
    I’m already sweating when I open the Terminal 😅
    
    LikeLiked by 1 person
  - 4
    
    Jonathan on May 21, 2021 at 11:44 pm
    
    Frankly, I would expect the genius bar at an Apple Store to be able to unbrick a Mac regardless even of Applecare status. It’s not a complicated procedure at all, provided you have access to a second Mac, which they do.
    
    LikeLiked by 1 person
    - 5
      
      hoakley on May 22, 2021 at 8:42 am
      
      Yes, so would I. But what about the many Mac owners who live more than 50 miles from their nearest Genius Bar?
      Mine is close as the crow flies, but takes at least two hours travel, including one 30 minute ferry crossing, to get there. Taking half a day out like that may not be possible for others – that’s why AppleCare can collect and deliver when needed.
      Howard.
      
      LikeLike
6

Javier Gallardo on May 21, 2021 at 1:23 pm

…Every new discovery you describe makes me think that “booting from external disk” in M1 systems is not a feature, but a hack.
Do you think this a temporary state of the “feature”? And where does it seems to aim? Any clue or evidence of Apple working to make a friendlier GUI to use the “feature”? Or does it seems MacOS will not officially support external booting in the future?
(I’m not personally concerned… but I don’t like this possible detour to meet iOS).

LikeLiked by 1 person
- 7
  
  David C. on May 21, 2021 at 1:52 pm
  
  I think it’s more accurate to say that Apple only wants you to be able to boot external volumes where the OS was formatted and installed by an official Apple macOS installer. No cloned volumes and no third-party OS’s.
  
  If you stick with that, the two boot policies presented in the GUI should be sufficient.
  
  For most of us, the big deal is that it makes restoring backups more aggravating because it ends up being more difficult to make a reliable bootable clone. You’ll end up having to recover the old fashioned way – boot a recovery volume, reinstall macOS, install your backup software, restore the data volume from that backup.
  
  Of course, for those who want to run third party operating systems, they may be looking forward to endless games of whack-a-mole, just like people in the iOS jailbreak community do.
  
  LikeLiked by 2 people
  - 8
    
    hstriepe on May 21, 2021 at 10:41 pm
    
    Another alternative is to reinstall over the Data partition. That has worked for me on a system that was not M1.
    I found on the newer versions of macOS the most reliable and fastest way to recovery is to install from recovery and migrate the data.
    
    LikeLiked by 2 people
    - 9
      
      hoakley on May 22, 2021 at 8:43 am
      
      Thank you. Yes, that’s clearly what macOS is heading towards.
      Howard.
      
      LikeLike
- 10
  
  hoakley on May 21, 2021 at 6:43 pm
  
  Thank you.
  Booting from an external disk is an essential feature of M1 systems. Apple has put a lot of engineering effort into it. I think there are still some rough edges with the Fabric support for USB-C and TB3 disks, though, and these are complicated by the new Secure Boot system. As we get more used to them, and the problems with some external devices are sorted out, it will all get simpler.
  Howard.
  
  LikeLike
11

Mac House Calls (Joshua Fried) on May 21, 2021 at 4:15 pm

Just to be clear,

bputil -d

is harmless, as far as we know…right?

LikeLiked by 1 person
- 12
  
  hoakley on May 21, 2021 at 6:50 pm
  
  I have to be careful.
  Apple still has exactly the same warnings about not using bputil when you use the -d option.
  However, as I have suggested above, it reads only and doesn’t change anything. So long as you’re comfortable that you know what you’re doing (and get the command right), I can’t see what risk using it would pose.
  I intend continuing to use it, if that’s any endorsement, but I can restore a dead M1 Mac using Configurator 2 if required.
  Howard.
  
  LikeLike
13

Ron Gomes on May 21, 2021 at 5:23 pm

Mike Bombich has just posted a piece on his blog describing the changes to system boot introduced with Big Sur and why he no longer believes that creating a bootable backup is necessary or even the best strategy. Carbon Copy Cloner will continue to support making bootable backups as long as Apple makes it possible. But he confirms that an Apple Silicon Mac is not bootable at all if its internal storage fails, so making a bootable backup to guard against internal SSD failure is no longer a viable strategy.

https://bombich.com/blog/2021/05/19/beyond-bootable-backups-adapting-recovery-strategies-evolving-platform

LikeLiked by 1 person
- 14
  
  hoakley on May 21, 2021 at 6:54 pm
  
  Thank you for that valuable, which confirms what I been suspecting for a while, and have detailed elsewhere.
  Mike and I discussed the problem of the dead internal SSD shortly before he went to the horse’s mouth, and that’s what I thought. That said, there are situations where the internal SSD could become corrupted and still be recoverable. I think those are pretty well all covered by restore using Configurator, though, so there isn’t really a lot of purpose to trying to restore just the bootable container and System.
  Howard.
  
  LikeLike
15

myxal on May 21, 2021 at 5:46 pm

“Among many other factors, this explains why you can’t (yet) boot an M1 Mac into any other operating system.”

*checks date of publishing* … Say what?

https://corellium.com/blog/linux-m1

Admittedly, it’s a bit of a cheat – as I’m reading it, their script installs linux as a custom kext onto the existing macOS volume. If kexec(8) is an option, sky’s the limit.

LikeLiked by 1 person
- 16
  
  hoakley on May 21, 2021 at 6:57 pm
  
  Thank you.
  I stand by what I wrote: while an impressive hack, I’m afraid it isn’t a practical reality (yet). If you try it, you’ll discover that to return to macOS properly you have to restore the internal SSD afterwards, as it’s left in Permissive Security mode, and I don’t think can be returned to Full Security without a restore.
  Howard.
  
  LikeLike
17

cicerovicious on May 21, 2021 at 6:13 pm

I for one am both surprised and glad such a tool exists. Users should always be the ultimate decider in all things concerning their devices – full stop. This includes having unadulterated access to their system as well as entrusted to use tools as they see fit. The quid-pro here of course is that one signs away their right to complain and seek recompense for any damage resulting from the use – especially errant use – of such tools.

Nice to see some folks at Apple still believe in user\admin rights…

LikeLiked by 1 person
- 18
  
  hoakley on May 21, 2021 at 6:58 pm
  
  Thank you. I agree, although I think the warnings could be better focussed, particularly for the -d option.
  Howard.
  
  LikeLike
19

Wowfunhappy on May 22, 2021 at 12:11 am

I’m currently studying to get a teaching degree, and I specifically want to teach CompSci some day. A lot of today’s programmers got their start as teenagers playing around with code injection in existing apps and games. Code injection, is frankly, a lot of fun—and very educational. And, it’s completely impossible to do while SIP is enabled!

So, the mantra of “no one should _ever_ use bputil” makes me a little uncomfortable. It’s a computer, not dynamite. The level of danger depends on what data is kept on the machine, and the risk should be weighed against the benefits for education, research, and even personal amusement.

Also, once marcan’s work is further along, I’m expecting a lot* of people to buy M1 Macs in order to run Linux, because of how good Apple’s CPUs are. That will require turning off permissive security!

*Where “a lot” equals “a minuscule percentage of the overall Mac user base.” That could still constitute an awful lot of people!

LikeLiked by 1 person
- 20
  
  hoakley on May 22, 2021 at 8:52 am
  
  Thank you.
  I have never met any developer who got such a “start” and will be only too happy when code injection is a thing of the past. If that’s what inspires someone to start coding, then that’s pretty perverse. SIP is a primary security protection, perhaps because those teenagers have grown up into adults who still think it’s fair game to hack other people’s code.
  Apple doesn’t say that no one should ever use bputil – if it did, why even provide the tool? It makes it clear that using it is experimental, and not something you should ever seriously consider on a production Mac. With the exception of the -d option, I think that’s wise advice.
  I’m interested that you think that Linux is going to very popular on M1 Macs, and that Asahi Linux is going to require permissive security to be turned off: there’s currently no way to do that, and if Asahi ships with that requirement, it will have painted itself into a corner which I think it will deeply regret.
  Howard.
  
  LikeLike
21

EcleX on May 22, 2021 at 8:12 am

Talking about booting, is it normal that macOS Big Sur takes more than twice time to cold boot (47 sec) to whow the Desktop icons than macOS Sierra (20 sec)?

LikeLiked by 1 person
- 22
  
  EcleX on May 22, 2021 at 8:13 am
  
  Oops! I meant to show the Desktop.
  
  LikeLiked by 1 person
- 23
  
  hoakley on May 22, 2021 at 8:38 am
  
  There is no such thing as “normal” across all Macs. Which model Mac, what’s it booting Big Sur from, do you have FileVault enabled, and what third-party extensions and other load-at-start items do you have installed? They all make a big difference.
  If you want a quick boot in Big Sur, try a clean M1.
  Howard.
  
  LikeLike
  - 24
    
    EcleX on May 22, 2021 at 9:56 am
    
    Thanks. It is the very same Mac (iMac18,3; mid 2017; 40 GB RAM). Booting from the internal fast 2 TB disk (more than half empty) from Apple (SM2048L; made by Samsung). It is without FileVault enabled. But what I meant is that it happens in the same Mac just before upgrading from macOS 10.12.6 (16G1815) Sierra, when it took 20 seconds to cold boot, whereas now with macOS 11.3.1 (20E241) Big Sur it takes 47 seconds. That is more than twice slower. So, it seems that there is something else involved.
    
    LikeLiked by 1 person
    - 25
      
      hoakley on May 23, 2021 at 8:47 am
      
      Perhaps I need to explain in detail how the Big Sur boot process differs from Sierra?
      In Sierra, it’s much simpler; in Big Sur your Mac doesn’t boot from the System volume, but first has to locate the snapshot there containing the System volume, mount it, check its seal, then boot from that snapshot.
      It looks like that process is taking longer on older Macs. As I don’t have an older Mac here to compare it against, I don’t know whether yours is performing as expected. However, I don’t see any way you have of changing that.
      Howard.
      
      LikeLike
  - 26
    
    EcleX on May 22, 2021 at 9:58 am
    
    Sorry, it was macOS 10.12.6 (16G2136) Sierra.
    
    LikeLiked by 1 person
27

markbot2zero on May 23, 2021 at 8:47 pm

Dear Howard,

re: “I suspect [Apple Support would] put you on hold while they all had a good laugh, and once the tears had stopped rolling down their cheeks, they’d suggest that you might like to fix it yourself…”

I have to confess that the imagery here almost had tears rolling down my cheeks. (It reminds me of that scene from “The Wolf of Wall Street,” where the scammers of a “pump and dump” stock scheme have a clueless mark on speaker phone, while they howl with glee every time he forks over another fifteen grand.)

I hope it’s accurate — even Apple Support troops need a good laugh once in a while to break up the monotony. (“No ma’am, and I’m sorry to have to repeat this: the MacBook Air does NOT come with a mouse.”)

With respect to clone backups: I’ve had them for years, using either Carbon Copy Cloner or, more lately, SuperDuper!. I’ve encouraged clients to have one as well. It was an insurance policy, especially for rotational hard drives.

But I’m wondering: how often does internal SSD (or more precisely, I guess, “solid state storage,” since it isn’t necessarily a discrete “drive” anymore) actually fail outright? I have never heard of that happening, where all of a sudden one day, it simply dies and the Mac won’t boot. Doesn’t it usually get slower and slower as it fades away, something that a utility (e.g., DriveDX) could reveal?

Am I naive, or (for once in my life) lucky?

In other words, I’m wondering whether, as a practical matter, a clone backup is really needed for Macs with internal SSD, at least for a typical user.

Best regards,

-Mark

P.S. Another alternate name possibility for bputil: kryptonite. At best it will render the Mac helpless; more likely will be fatal.

LikeLiked by 1 person
- 28
  
  hoakley on May 23, 2021 at 9:10 pm
  
  Thank you.
  SSD failure is a relatively under-explored topic. Like all solid-state devices, there’s a significant early failure rate in the first week or two of use. After that, most modern SSDs seem to function fine until they’re getting close to running out of life, in terms of erasing their blocks. From what I’ve heard their demise can then become quite rapid.
  This depends largely on how heavily the blocks are erased, and use up their ‘life’. If your Mac normally runs a large VM, then the SSD could start to reach end of life in just two or three years – and that’s what worries some who have reported high write volumes on their M1 Macs.
  If your Mac seldom uses any VM, then your SSD should be good for at least ten years. Watching the indicators on this heavily-used iMac Pro which never uses any VM, I’d project that its SSD will last longer than ten years, by quite a long way, and the same for my two M1 Macs.
  The problem with clone backups isn’t the Data volume, but whether it’s worth trying to clone the System volume. Mike Bombich has recently reconsidered this and, as I’ve written, concludes that from Big Sur they’re a thing of the past. In the future, you’ll have to install a fresh copy of macOS and either hook that up to an existing Data volume, or migrate from a copy or backup.
  I don’t see a problem with that, once we’ve rethought how we prepare for disaster.
  Howard.
  
  LikeLike
29

akshey on August 10, 2021 at 4:29 pm

hi i am using apple m1 .I have downloaded and installed 11.5.1 bigsur using commandline and while rebooting got an error like this what does it mean.kindly help me with this

2021-08-09 07:56:32+02 Reinach softwareupdated[443]: Apply failed with: Error Domain=SUMacControllerError Code=7760 “[SUMacControllerErrorApplyFailed=7760] Failed to perform Apply operation: [MobileSoftwareUpdateErrorDomain(MSU):MSU_ERR_BOOTPOLICY_FAILURE(43)_1_MobileSoftwareUpdateErrorDomain(MSU):MSU_ERR_BOOTPOLICY_FAILURE(43)]” UserInfo={NSLocalizedDescription=Failed to apply the software update. Please try again., SUMacControllerErrorIndicationsMask=0, NSDebugDescription=[SUMacControllerErrorApplyFailed=7760] Failed to perform Apply operation: [MobileSoftwareUpdateErrorDomain(MSU):MSU_ERR_BOOTPOLICY_FAILURE(43)_1_MobileSoftwareUpdateErrorDomain(MSU):MSU_ERR_BOOTPOLICY_FAILURE(43)], NSUnderlyingError=0x136756fc0 {Error Domain=MobileSoftwareUpdateErrorDomain Code=43 “Failed to create local BootPolicy for SFR” UserInfo={NSUnderlyingError=0x1367806b0 {Error Domain=MobileSoftwareUpdateErrorDomain Code=43 “Failed to create local boot policy for software update: 7”

LikeLiked by 1 person
- 30
  
  hoakley on August 10, 2021 at 4:50 pm
  
  That means the install failed because no LocalPolicy could be found. If you can explain what you’re trying to do I may be able to suggest what to try.
  Howard
  
  LikeLike
  - 31
    
    akshey on August 11, 2021 at 5:25 am
    
    I tried to download the 11.5.1 Big Sur using scripts by providing the url .And what is meant by local policy ? is that full and reduced security policy?
    
    LikeLiked by 1 person
    - 32
      
      hoakley on August 11, 2021 at 7:50 am
      
      First choice to perform an update would be to use Software Update if you can. If you’re trying to update from an earlier version of Big Sur, then I’d download the full installer app from the App Store and use that.
      Which version of Big Sur is the M1 currently running?
      I have several articles here explaining LocalPolicy – it includes security policy and more, and is essential for any volume group to be bootable. If this is on your M1’s internal SSD, then that should already be set and saved. Is there any reason it might not be?
      Howard.
      
      LikeLike