hoakley May 31, 2021 Macs, Technology

M1 Macs have a third Recovery mode

If you’ve been following the story of Recovery Modes on M1 Macs, you should now be aware that there are often two: 1 True Recovery (1TR) which you engage by starting your Mac up with the Power button held until it loads Options, and Fallback Recovery (frOS) which requires a first short press on the Power button followed by a second which is held until it loads Options. This article describes a third Recovery Mode, simply known as recoveryOS.

1TR

1TR provides a full suite of recovery tools, which are detailed in these three articles:

Among the most important of those is Startup Security Utility, which lets you change security level of available boot volume groups. This is the only way that you can do that, a design decision made by Apple which it explains in its Platform Security Guide:
“On a Mac with Apple silicon, System Security Utility” [actually Startup Security Utility] “indicates the overall user-configured security state of macOS, such as the booting of a kext or the configuration of System Integrity Protection (SIP). If changing a security setting would significantly degrade security or make the system easier to compromise, users must enter into recoveryOS by holding the power button (so that malware can’t trigger the signal, only a human with physical access can), in order to make the change.”

1TR runs only from its own container on the internal SSD, and boots as its own operating system, which Apple calls recoveryOS. It also provides key tools such as Disk Utility, Terminal, and the ability to install the current version of macOS, making it a complete recovery environment.

Fallback Recovery

When you update macOS on an M1 Mac, the previous recoveryOS is kept in reserve as Fallback Recovery, to provide a safeguard in the event that anything goes wrong installing the new recoveryOS. This is detailed in these two articles:

This is identical to 1TR except that Startup Security Utility isn’t available, so it can’t be used to change security level of available boot volume groups.

recoveryOS

I actually described plain recoveryOS over three months ago in this article without realising it. The major difference here is that this mode isn’t one that you engage: you can’t enter it using the Power button or any keystroke command. It’s only entered when macOS requires it.

My commonest experience with recoveryOS is when using the Startup Disk pane to switch between bootable disks. If there’s anything not quite right with the disk you’re trying to boot from, or when switching back to the internal SSD, you’re likely to be thrown into what is visibly recoveryOS, but without having touched the Power button. These visits are therefore invoked from macOS, and from 11.4 onwards almost certainly rely on the private framework RecoveryOS.framework which was introduced in the 11.4 update.

This can be much more limited than either 1TR or Fallback Recovery, and invariably denies any access to Startup Security Utility, while some of the other tools available in 1TR may also be inaccessible. Typically, this might just offer Boot Recovery Assistant, allowing you to confirm the disk you want to boot from or make a second choice. If that’s good for you, it will then normally reboot macOS as selected and return you to that.

If you can’t choose what you want from its options, then the best course is to shut your Mac down (using a menu command to do so) and then start up in 1TR, where you have a fuller range of tools available.

Summary

These three different modes of Recovery may appear confusing until you understand what they’re intended for.

1TR is the full recovery system, including Startup Security Utility, Disk Utility, and more, and can only be entered by pressing and holding the Power button.
Fallback Recovery is there in case 1TR doesn’t work, but doesn’t include Startup Security Utility.
recoveryOS is invoked not by you but by macOS to tackle a specific issue from Recovery, but doesn’t include Startup Security Utility and may omit others too.

I hope that’s less confusing.

I am very grateful to Pico for pointing out the all-important text in Apple’s Platform Security Guide, and for his suggestions leading to the changes I have made above.

23Comments

Add yours

1

performa475 on May 31, 2021 at 8:07 am

As you promised yesterday, this article certainly does make the M1 recovery options clearer. The inclusion of earlier article links relevant to this topic are very useful indeed. Many thanks.

LikeLiked by 1 person
- 2
  
  hoakley on May 31, 2021 at 11:28 am
  
  Thank you.
  Howard.
  
  LikeLike
3

Pico on May 31, 2021 at 5:48 pm

I haven’t seen this “Boot Recovery Assistant” myself since I haven’t tried externally booting on M1 yet, but are you saying that this mode does not allow access to Terminal or Disk Utility at all?

If so, that may actually be a different recovery mode than what “bputil” refers to a “ordinary recoveryOS” (as opposed to “one true recoveryOS”.

I have found that if you run “bputil” with any invalid command, it will display an error and then also list the “Current OS environment” which shows the distinction between “ordinary” and “one true” recoveryOS. “ordinary recoveryOS” looks identical to “one true recoveryOS” and has all the same apps available, but it at least prevents you from modifying Startup Security even though you can still access the app.

Does that sound different from the Boot Recovery Assistant?

LikeLiked by 1 person
- 4
  
  hoakley on May 31, 2021 at 6:22 pm
  
  Thank you.
  I think that these are one and the same recoveryOS, not yet another another recovery mode!
  I believe that when macOS calls for recoveryOS, it calls a specific part of it. When there’s a problem with a startup disk, it calls the Boot Recovery Assistant, which is the feature in 1TR which works with different boot disks.
  Does that make sense?
  Howard.
  
  LikeLike
  - 5
    
    Pico on May 31, 2021 at 7:10 pm
    
    Totally, that makes sense. Sounds similar to how if you have FileVault enabled you can’t get to all of the features of recoveryOS until you’ve authenticated. You’re still in the full recoveryOS, you are just blocked by the “KeyRecoveryAssistant” app (whose name in the menubar is just “Recovery Assistant”).
    
    Poking around in the “BaseSystem.dmg” source of recoveryOS, I can see that “Boot Recovery Assistant” is its own app within the “/System/Installation/CDIS” folder along side “KeyRecoveryAssistant” and friends.
    
    “Recovery Springboard” is the app you see when you’re finally in what we think of as the full recoveryOS (regardless of being 1TR or ordinary recoveryOS).
    
    “Boot Picker” (the new “Startup Manager” type app) also lives in this same folder. So it seems like recoveryOS forces a series of apps depending on how it was engaged.
    
    1TR = Boot Picker > KeyRecoveryAssistant (which checks volumes and then proceeds if FV is not enabled or blocks for authentication if FV is enabled) > Recovery Springboard
    
    Ordinary recoveryOS can be the same MINUS Boot Picker since I have been able to get to it without being hit with “Boot Recovery Assistant”. For example, after running “Erase Mac” and being rebooted into recoveryOS which I assume you do not want to do to your computers. In the case of rebooting into recoveryOS after “Erase Mac”, “KeyRecoveryAssist” blocks until internet is available to Activate the Mac.
    
    Also, when in “ordinary recoveryOS” I can open the “Startup Security Utility” app, but it just displays an error stating “Security settings cannot be changed. In order to change security settings, please power off your Mac and then hold the power button to startup macOS Recovery.”
    
    So it sounds like when dealing with external drives, “ordinary recoveryOS” can block you at “Boot Recovery Assistant” before doing anything else.
    
    Actually, in some more testing just now after running “Erase Mac”, I rebooted without holding the power button, knowing that booting would fail since there is no OS. I was forced into “ordinary recoveryOS” as expected and now notice that I am actually presented with “Boot Recovery Assistant” (show in the menubar). The alert states that macOS needs to be reinstalled and offers buttons for “Startup Disk” or “Recovery”. If I choose “Recovery” I then get passed through “KeyRecoveryAssistant” before going straight to “Recovery Springboard”, so that would be an amendment the flow chart.
    
    So it is all the same! Just depends on how recoveryOS decides to block you before getting to “Recovery Springboard”.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on May 31, 2021 at 9:01 pm
      
      Thank you for confirming my suspicions. That does make excellent sense.
      Howard.
      
      LikeLike
7

Pico on May 31, 2021 at 8:18 pm

After thinking and talking this through, it feels worth pointing out that “ordinary recoveryOS” may not be as simple and restrictive as you describe.

It can be nearly as fully featured as 1TR (minus being able to perform most actions in Startup Security Utility or bputil or possibly csrutil). Ordinary recoveryOS can and does allow re-installing macOS, working in Disk Utility, and accessing Terminal. So I would consider it a complete recovery environment.

As far as I understand so far, you are booted to the same exact recoveryOS volume when you are in “ordinary recoveryOS” as when you are in 1TR. This is a big difference versus Fallback Recovery.

I am assuming that when you physically hold the power button for 1TR that some internal flag is set (very early in the boot process and presumably stored in a very secure location) indicating that it was physically initiated and therefore recoveryOS is granted the “elevated trust” of being in “one true recoveryOS”. Or something like that is going on by more sophisticated means.

I would assume the capabilities of “ordinary recoveryOS” would probably be exactly the same as “Fallback Recovery” other than being a different versions of recoveryOS (but I haven’t gotten into “Fallback Recovery” myself to play with that). I’m assuming this because I think that maybe “Fallback Recovery” could actually be considered using these terms and in relation to 1TR as simply “the previous version of ordinary recoveryOS”. It may just be that “Fallback Recovery” is never granted the “elevated trust” of being able to do what 1TR can do because of some parameters set by Apple. It would be interesting to see what “bputil” lists as the “Current OS environment” when in “Fallback Recovery”.

It sounds like maybe it’s just that this scenario you’ve run into the most with being forced to “Boot Recovery Assistant” is simply a more restricted and specific mode of “ordinary recoveryOS” rather than being the only way that “ordinary recoveryOS” can function.

I think that rather than considering “ordinary recoveryOS” and “one true recoveryOS” as entirely different recovery environments they may be better described as variations of the same recovery environment, differentiated by the trust level that the hardware grants them. The problem here is that this may be more like a tree of variations with some restrictive sub-modes rather than a simple linear distinction.

What makes this more complex is that being in “one true recoveryOS” also does not guarantee the ability to perform all Startup Security functions in all edge cases. Consider the case of booting into 1TR on a clean install of macOS. There is no user setup yet so there is no Secure Token holder/Volume Owner. Without a Secure Token holder/Volume Owner (which, to add more confusing lingo, bputil and csrutil refer to as an “admin user authorized for recovery”) you cannot change any Startup Security options or disable SIP even though you are in the fully trusted 1TR.

It’s also worth pointing out that this complexity is actually not new to Apple Silicon Macs. It was pointed out on the MacAdmin Slack that “This was true on T2 systems for awhile as well. Booting to recovery via NVRAM wouldn’t let you modify boot security settings. In other words, the concept of 1TR isn’t brand new to Apple silicon.” The same rules about a Secure Token holder not existing also apply on T2, without a Secure Token holder, you cannot modify security settings as well.

LikeLiked by 1 person
- 8
  
  Pico on May 31, 2021 at 9:18 pm
  
  I have re-installed macOS 11.2.3 on my M1 Air since I knew that I could easily force 11.2 into “ordinary recoveryOS” by manually clearing NVRAM which deleted “boot-volume” and other boot critical keys which Apple has protected from deletion in macOS 11.3 and newer (as they should be protected).
  
  It was lucky that I noticed that NVRAM change in the past and now could connect the dots to realize that would be a quick and easy way to get into “ordinary recoveryOS” on demand, which I do not know how to do on macOS 11.3 or newer.
  
  So far, I have confirmed that trying to change most “bputil” options and “csrutil disable” both error with “Failed to create local policy.” messages when trying to use them in “ordinary recoveryOS”. And after boot policy settings have been made in 1TR, bputil will error with “Failed to update boolean tag in local policy” when trying to make changes back in “ordinary recoveryOS”.
  
  I did confirm that I can run “bputil -g” (reduced security) from within “ordinary recoveryOS” as was expected since “man bputil” list “Boot environment requirements: software-launched macOS Recovery or 1TR.” for the “-g, –reduced-security” option while all security settings below that point list “Boot environment requirements: 1TR.”.
  
  If there is anything specific that you would like me to try within “ordinary recoveryOS” please let me know. Even if I wipe this Mac for other testing it isn’t hard to get back on 11.2.3 to do more of this testing later.
  
  LikeLiked by 1 person
  - 9
    
    hoakley on May 31, 2021 at 9:40 pm
    
    Thank you.
    I think, because of the changes we know have taken place in 11.4, anything that happened in earlier releases of macOS is now unreliable evidence as to what is intended! I have just had to completely revise my account of the boot process, publishing tomorrow, as what I observed in 11.3.1 is now complete twaddle. macOS simply doesn’t work the way that it did less than a month ago.
    Howard.
    
    LikeLike
    - 10
      
      Pico on May 31, 2021 at 10:12 pm
      
      Very true, Apple Silicon is moving super fast. I’m not really sure what else I could test anyways. Just was nice to confirm a few things and see the behavior first hand. I’m sure much could and will change again next week at WWDC!
      
      LikeLiked by 1 person
    - 11
      
      hoakley on May 31, 2021 at 11:14 pm
      
      Thank you – and thanks to you I have had to displace that article on M1 booting for an interesting speculative analysis of the firmware updates in 11.4.
      Howard.
      
      LikeLike
- 12
  
  hoakley on May 31, 2021 at 9:27 pm
  
  Thank you. I respectfully disagree.
  Yes, it can have all the same features, except of course Startup Security Utility. But it normally doesn’t.
  This is because of the most fundamental difference between 1TR (and frOS), and recoveryOS: you don’t get to choose your recovery mode. There’s no Power button manoeuvre or shortcut which takes you to recoveryOS. That’s something that macOS controls completely, and it determines what of recoveryOS you are given too.
  For the user, 1TR and frOS are more closely related, as the user chooses which to invoke, and has to do so when starting up. And that’s another important difference: you can’t restart to 1TR or frOS, you have to shut down and start up. Neither can you start up in recoveryOS unless macOS decides to invoke it during startup.
  frOS is exactly what you’d expect – just 1TR from the last release of macOS which was installed when it was last updated, again apart from Startup Security Utility. You get to choose whether to invoke it, and it has to be engaged from a cold boot not a restart.
  Finally, the claim that “the concept of 1TR isn’t brand new to Apple silicon” is bizarre, as it is based on a single security feature, which as you write, isn’t always available anyway. I can assure you that 1TR has been written from scratch for Apple silicon, now that ‘firmware’ and Recovery aren’t constrained by UEFI. It’s completely different in concept, design, and implementation from anything that Apple has offered on Intel systems. One common security feature with T2 (i.e. Apple Silicon precursor) systems is hardly significant here.
  Howard.
  
  LikeLike
  - 13
    
    Pico on May 31, 2021 at 11:18 pm
    
    I think we’re just getting caught up on subtle distinctions and semantics at this point, as well as bias based on the actions we perform most and consider “normal”. Because of the deployment testing I am doing, I regularly get into “ordinary recoveryOS” after running “Erase Mac” to start a new installation. I started out in 1TR because I manually booted to recoveryOS, but landed in “ordinary recoveryOS” after the erase procedure was performed and automatically rebooted the Mac. That is a very important action that lands you back in “ordinary recoveryOS” where you have the all of the required functionality of recoveryOS on Apple Silicon to re-install macOS, etc. That’s an action that should hopefully not be that common throughout someones usage of an Apple Silicon Mac, but is still a very important process. Hopefully normal folks are booting their Apple Silicon Macs to external drives more often than they are erasing them 🙂 So, it’s fair that hitting “ordinary recoveryOS” which is limited to just “Boot Recovery Assistant” in your scenario is more likely to be a regular occurrence for some users. But I don’t think that which mode is most often or easily invoked changes what “ordinary recoveryOS” inherently is.
    
    As for your hesitation in saying that the “concept” of 1TR isn’t brand new, I think that is conflating 1TR and the recoveryOS environment of Apple Silicon. This is because we are now realizing that recoveryOS on Apple Silicon is not in and of itself called “1TR”. 1TR is simply the most secure mode that recoveryOS on Apple Silicon can operate in. When considered this way, I see the parallel pretty clearly to the “concept” of 1TR in relation to the fact that changing Startup Security is prohibited on T2 Macs unless recovery was physically engaged rather than booted via NVRAM flags. I’m sure much of the inner workings of how things are invoked have changed because of the lack of UEFI, and I’m sure the Apple Silicon implementation is much more secure in many ways, but it seems clear to me that this was an earlier iteration of the same idea of the security capabilities that Apple implemented for Apple Silicon. I don’t think anyone was saying they are one and the same, at least that’s not what I was meaning. But it seems clear to me that T2 was something of a playground and test bed for many of the concepts and ideas (not just 1TR) that evolved into maturity on Apple Silicon.
    
    I think that saying “frOS is […] just 1TR from the last release of macOS […] apart from Startup Security Utility” is also conflating what we now know 1TR really means with recoveryOS in and of itself. The fact that is doesn’t have Startup Security Utility capability would make it inherently not 1TR. If you boot into frOS and launch Startup Security Utility, does it give the same “Security settings cannot be changed. In order to change security settings, please power off your Mac and then hold the power button to startup macOS Recovery.” error as “ordinary recoveryOS” does when indicating that it is not in 1TR mode? Also, I’m still curious what “Current OS environment” bputil states for frOS. I may do a new install on 11.3.1 and then update is to 11.4 to do some testing in frOS to see for myself. I suspect that saying “frOS is […] just “ordinary recoveryOS” from the last release of macOS” would be more accurate.
    
    Doing a little digging on this, I found https://support.apple.com/guide/security/boot-modes-sec10869885b/1/web/1 which states that the “Fallback recoveryOS” boot process is: “The same process as recoveryOS boot, except that it boots to a second copy of recoveryOS that is kept for resiliency. However, LLB doesn’t lock an indication into the Boot Progress Register saying it is going into recoveryOS, and therefore the fallback recoveryOS doesn’t have the capability to change the system security state.” That last part seems hugely important and indicates what I’m suspecting. I believe that is describing the process of whether or not a recoveryOS (whether it be primary or fallback) is granted 1TR abilities. It’s not that frOS is or isn’t 1TR the same way that the primary recoveryOS is or isn’t inherently 1TR. They both have the technical capability to operate at the 1TR level of trust within them, it just that frOS will never be granted that ability during the boot process and the primary recoveryOS will only be granted that level of trust when physically engaged rather than booted automatically because of some issue. 1TR is simply a trust level that is seemingly granted to the primary recoveryOS when “LLB locks an indication into the Boot Progress Register that it’s booting into recoveryOS”. Other than the difference in how frOS can be physically engaged, I think this makes frOS much more closely related to “ordinary recoverOS” than it does to 1TR mode of the primary recoveryOS.
    
    To get back to the original note on https://support.apple.com/guide/security/contents-a-localpolicy-file-mac-apple-silicon-secc745a0845/1/web that sparked all of this investigation, “Apple uses the term One True recoveryOS (1TR) to indicate a boot into the primary recoveryOS which is achieved using a physical power button press”. I read this as saying that 1TR is not in and of itself the name of recoveryOS on Apple Silicon or even distinct from the primary recoveryOS, it is a mode which the primary recoveryOS is able operate in.
    
    Maybe my thinking will change with more information (since Apple does not make these things super clear as well as continuing to change things), but I am now shifting away from thinking of recoveryOS on Apple Silicon as 1TR. I think that’s a misnomer. I think 1TR started to get thrown around and we all thought that term alone was the name of the new recoveryOS on Apple Silicon in and of itself, but I think it’s more subtle than that. I think 1TR is just a name to indicate an extra security layer on top of recoveryOS on Apple Silicon. This is undeniably technical nitpickery though, no ordinary Mac user is really gonna care either way what it’s called as long as they can do what they need to do when recoveryOS becomes a necessity.
    
    So to break down how I’m seeing this now I think it’s like this: On Apple Silicon we have Primary recoveryOS (prOS) and (after macOS has been updated) Fallback recoveryOS (frOS). prOS is capable of being granted a higher level of trust which allows it to modify Startup Security settings when it was physically engaged by holding the power button during boot. When prOS is granted this level of trust during boot, it is called One True recoveryOS (1TR). When prOS is booted using NVRAM or when errors occur on startup, it is not granted the 1TR level of trust and is just considered “normal recoveryOS” or “ordinary recoveryOS”. frOS is simply a copy of prOS from the previous version of macOS. When frOS is physically engaged, it will simply never be granted the 1TR level of trust because of the behavior that Apple has coded into the boot process and therefore operates in the same way as prOS does when it is not granted the 1TR level of trust (ie. as “normal recoveryOS” or “ordinary recoveryOS”). So this is simply 2 distinct copies of recoveryOS on different volumes which can operate in different modes. Within these mode, apps such as “Boot Recovery Assistant” or “KeyRecoveryAssistant” could block access to the rest of the apps available within either of these recoveryOS environments depending on the scenario that initiated the boot into the recoveryOS.
    
    LikeLiked by 1 person
    - 14
      
      Pico on June 1, 2021 at 12:52 am
      
      As a test I DFU restored macOS 11.3.1 onto my M1 Air and then upgraded to macOS 11.4.
      
      This resulted in the expected behavior of Primary recoveryOS (prOS) being 11.4 which I can boot into by holding the power button with full 1TR privileges. I also have a Fallback recoveryOS (frOS) which is 11.3.1 and I can boot into by double clicking and then holding the power button and it is not granted 1TR privileges as is dictated by Apples boot processes.
      
      frOS behaves just as expected as an “ordinary recoveryOS”, as shown in the bputil’s “Current OS environment” line. I also get the expected “Security settings cannot be changed. In order to change security settings, please power off your Mac and then hold the power button to startup macOS Recovery.” error when opening Startup Security Utility, the same as in any version of recoveryOS running in “ordinary” mode.
      
      With this way of thinking about it, it is actually quite simple to manually boot to “ordinary recoveryOS” vs 1TR on demand. By double clicking the power button on boot you can get to “ordinary recoveryOS” by booting frOS (which happens to be last version of macOS you had installed instead of the current version) and by holding the power button on boot you can get into prOS in 1TR mode (which is the current version of macOS).
      
      Looking at it this way, I would describe the distinctions between these recoveryOS environments/modes in a bit of a different way that this post describes. I think the distinction between Primary recoveryOS (prOS) and Fallback recoveryOS (frOS) helps a lot in my mental mapping of what is going here (rather than always describing prOS as 1TR).
      
      LikeLiked by 1 person
    - 15
      
      Pico on June 1, 2021 at 4:54 am
      
      One final interesting tidbit that I’ve just discovered… After performing a DFU restore of 11.4, I was curious what environment and mode I would get into when double-clicking and then holding the power button to get into Fallback recoveryOS when there should only be Primary recoveryOS since no updates have been performed yet.
      
      When I did this, I got into what I presume must be prOS since it was properly version 11.4, but it was NOT in 1TR mode. It was “ordinary recoveryOS” as indicated by bputil as well as the standard Startup Security Utility error message. This could be explained by the behavior described in https://support.apple.com/guide/security/boot-modes-sec10869885b/1/web/1 where “LLB doesn’t lock an indication into the Boot Progress Register saying it is going into recoveryOS” when this power button sequence is used on boot. And I’ve got to assume that it checked for frOS and didn’t find it so just booted into prOS instead but into “ordinary recoveryOS” since the flag/indicator was not set in the BPR which would allow 1TR mode.
      
      If I shut down and then do a normal hold the power button boot into recoveryOS, I get back into prOS, but this time in 1TR mode as expected.
      
      This behavior would be difficult to describe if prOS is always called 1TR. I think this situation exemplifies how 1TR is just a possible mode of prOS.
      
      LikeLiked by 1 person
    - 16
      
      hoakley on June 1, 2021 at 9:37 am
      
      Thank you.
      I will be responding in detail with a Postscript later today. Suffice it to say that I stand by what I’ve written in this article. I don’t think inventing new terms like prOS helps the user in the slightest. Apple’s terminology is quite confusing enough, and to add a set of unofficial replacement names for slightly different concepts can only confuse.
      Howard.
      
      LikeLike
    - 17
      
      Pico on June 1, 2021 at 4:39 pm
      
      Looking forward to reading the postscript.
      
      I would like to point out though that I did not invent the term “primary recoveryOS”. It is the terminology that Apple used in https://support.apple.com/guide/security/contents-a-localpolicy-file-mac-apple-silicon-secc745a0845/1/web “Apple uses the term One True recoveryOS (1TR) to indicate a boot into the *primary recoveryOS* which is achieved using a physical power button press.” I simply abbreviated it. For all intents and purposes that term could be replaced with just recoveryOS or rOS. I just found the explicit distinction to help in this discussion. It also worth noting that you used the term “primary rOS” as well to help with this exact distinction when discussing Fallback recoveryOS on https://eclecticlight.co/2021/02/22/why-your-m1-may-not-have-fallback-recovery-yet/
      
      I don’t mean to confuse or add unofficial replacement terms. I’ve been trying dig into the information that Apple has provided to find the right way to accurately describes the different possible states of recoveryOS on Apple Silicon. From this research, I feel that using “1TR” as a blanket term to describe all of recoveryOS on Apple Silicon is what is leading to some confusion when trying to describe and understand these slightly different recoveryOS modes. This is because 1TR is not a thing in and of itself. 1TR is a mode that can be enabled in recoveryOS when the Low-Level Bootloader sets a flag in the Boot Progress Register indicating that the power button was held to enter the primary recoveryOS during boot. It’s a subtle distinction, but one that also makes the behaviors you describe in your article about Fallback recoveryOS that I linked above make more clear sense.
      
      In terms of Apple ever using the term 1TR to describe recoveryOS on Apple Silicon as a whole, I have not been able to find it. But maybe it’s out there somewhere that I haven’t seen in some video or something. Do you have any references to Apple referring to all of recoveryOS on Apple Silicon as 1TR? Other than the LocalPolicy link listed above (which has the clear note about how 1TR is a mode of prOS when the physical power button is held on boot before using the term throughout the rest of the document to indicate this state) the only other reference to 1TR from Apple that I can find is on https://support.apple.com/guide/security/kernel-extensions-sec8e454101b/web which is just explicitly describing engaging 1TR mode by holding the power button on boot. When speaking technically about recoveryOS volumes and their modes on Apple Silicon, neither of these references indicate that 1TR is equivalent to all of recoveryOS on Apple Silicon. Especially when speaking technically about the recoveryOS *volumes* on disk, neither are inherently 1TR since that mode is only enabled at boot time by the LLB when the power button is held.
      
      Although, as I’ve said already, I don’t think it really matters either way what recoveryOS is called to the average user. Apple simply calls it “macOS Recovery” in all of its consumer facing documentation whether referring to Apple Silicon or Intel. For those of us trying to understand the nuances, I think this distinction between prOS and frOS and how 1TR mode can only be enabled on prOS when holding the power button on boot is technically accurate using official terms as well as helpful in understanding the real world behaviors we have seen.
      
      LikeLiked by 1 person
    - 18
      
      hoakley on June 1, 2021 at 5:54 pm
      
      Thank you. It has growed, and will now be a whole article with diagrams. As I need to get my updated account of the boot process out, that will appear tomorrow while I work on the Recovery article for Thursday.
      The more I read your comments, the more I think that we are completely at cross purposes here. This brief article isn’t about the internals of recoveryOS or any other OS, but about the modes of recovery which a user is likely to come across. As you write: “1TR is a mode that can be enabled in recoveryOS when the Low-Level Bootloader sets a flag in the Boot Progress Register indicating that the power button was held to enter the primary recoveryOS during boot.” And that is precisely what I have described in the article above, only without the detail about LLB and flags, which isn’t relevant to the user who presses and holds the Power button on their M1 Mac.
      We have both of us experienced the third mode extensively – you from your experiments with bputil, me from something users are much more likely to encounter, when trying to start up from a disk which isn’t quite right. It’s quite different from what happens when a user engages Recovery using the Power button, and the first time it happens most will be confused, because they appear to be in Recovery although they haven’t even restarted their Mac, let alone touched the Power button. What this article tries to do is explain those three modes, how the user can enter them, what is available to them there, and how, if they happen to have been kicked into the third mode, they can get into the full user Recovery mode which gives them more tools to solve their problem – something which isn’t documented, but from experience can make a big difference.
      I think the article above is clear, practical, and helps the user. If you think that it’s wrong in any way, in that context, let’s discuss it and I’ll happily correct it as necessary. But the full account must wait a couple of days, please.
      Howard.
      
      LikeLike
    - 19
      
      Pico on June 1, 2021 at 6:59 pm
      
      Very much looking forward to the new article with diagrams 👍
      
      Yes, I have been speaking technically and trying to get my head around what exactly 1TR means in relation to recoveryOS on Apple Silicon. That is clearly more technical than the brief overview of modes in this article, but it has lead to the understanding that using 1TR as a blanket statement to describe recoveryOS on Apple Silicon is a misnomer. And this misnomer leads to confusion when trying to explain some distinctions like this article does.
      
      This leads to a few of the statements about plain old “ordinary” recoveryOS in this article being inaccurate in a general sense, such as “This is much more limited than either 1TR or Fallback Recovery, and *invariably* denies any access to Startup Security Utility *or the other tools available* in 1TR.” and “recoveryOS is invoked not by you but by macOS to tackle a specific issue from Recovery, but doesn’t include Startup Security Utility *and others*.” I have noted the issues in asterisks. These are minor details, but make a big difference in the conceptual understanding of what environment someone is actually booted into.
      
      These descriptions you give of primary recoveryOS while not in 1TR mode is somewhat misrepresenting what it really is because of the specific scenario you have encountered it in most often, which happens to limit you to only interacting with “Boot Recovery Assistant”. But that scenario is not representative of being booted into primary recoveryOS without being in 1TR mode in general. I would describe it exactly as you describe Fallback recoveryOS, such as “this is identical to 1TR except that Startup Security Utility isn’t available” since that is literally what it is, other than being a newer version than Fallback recoveryOS.
      
      The fact that there are other sub-modes which block you at other specific apps, such as “Boot Recovery Assistant” is an interesting behavior that is worth noting and investigating, but conflating that one case with primary recoveryOS while not in 1TR mode in general is not an accurate representation.
      
      As a fun aside, this thinking and investigation has lead me to consider why Apple might call this mode “one true recoveryOS”. It seems that this has been thought to be some geeky codename, but I think it may actually be a nerdy technical shorthand instead. Of course, I have no way of knowing for sure, but here is my speculation: My first thought was that “one true” may actually be shorthand for “BPR 1 is equal to true” which may be valid if the Boot Progress Register that stores the flag to indicate that recoveryOS was initiated by a physical power button press is stored in position one. When trying to investigate this suspicion, I started searching the Asahi Linux Wiki since those are probably the only people that would have dug into M1 enough to have any relevant data about this. From there I found https://github.com/AsahiLinux/docs/wiki/SW:Boot#modes which leads me to think that “one true” may instead be shorthand for “boot mode 1 is equal to true”. Again, I’ve got no way to know what the Apple engineers were really thinking, but this feels like it give some relevant meaning to the otherwise somewhat meaning less “one true recoveryOS”.
      
      LikeLiked by 1 person
    - 20
      
      hoakley on June 1, 2021 at 7:24 pm
      
      Thank you. I have amended that section to include your experience with the third mode.
      I don’t think that Boot Recovery Assistant is a sub-mode at all. If the private framework just gave access to recoveryOS, then it would be a pretty minimal framework, and I suspect included elsewhere (where its functions must have existed before 11.4). Rather, I think what it provides is a range of different entries into recoveryOS which different apps and systems can call. Boot Recovery Assistant is but one of those, as is the more general entry point of which you have most experience. I do recall seeing at least one other in the past, but as macOS has changed so much in getting to 11.4, I don’t know whether that still exists. That’s what I think the new private framework delivers.
      What we need next is someone who has worked out how to hack into it!
      Howard.
      
      LikeLike
    - 21
      
      Pico on June 1, 2021 at 8:31 pm
      
      Thank you, I think those amendments make these statements more accurate.
      
      I agree that sub-mode may not be the best term for when one of the apps in recoveryOS blocks access to the rest of the tools. I’m giving my first go at setting up an external drive for my M1 Air now that it sounds like it may not be such a hassle as with past versions. It will be interesting to get into the “Boot Recovery Assistant” windows that you have experienced when switching startup drives first hand to see what’s going on there.
      
      The speculation about the private RecoverOS.framework is interesting. I can see that it is also present on my Intel Mac as well though, but no clue if it’s just dormant or what. It could be possible that this framework may just be a consolidation of tools for the creation and maintenance of recoveryOS partitions rather than providing any access to recoveryOS or interacting with recoveryOS directly, but I can’t know for sure.
      
      I originally thought that all of the times you could get forced into recoveryOS were because of issues or whatnot were detected during the boot phase (by LLB or iBoot or something) long before any macOS frameworks could be at play and were not initiated by a previously running version of macOS. But, who knows if that is true or has changed or what. It could be true that this new private RecoverOS.framework provides a secure way for macOS to signal that the Mac needs to boot into recoveryOS by being one of very few tools that is allowed to modify protected NVRAM keys, or by some other means.
      
      LikeLiked by 1 person
    - 22
      
      Pico on June 2, 2021 at 12:26 am
      
      I think I was able to get myself to the same “Boot Recovery Assistant” windows as you’ve described when externally booting. It is a window which states “Authentication is required to verify startup disk.” and has my internal drive user account in a dropdown list and wants my internal drive user account password. Is that the same?
      
      When presented with this “Boot Recovery Assistant” window in recoveryOS, I found that you are actually not totally prevented from getting to “Recovery Springboard” to be able to access all the rest of primary recoveryOS in “ordinary” non-1TR-mode, but it’s kinda like you have to trick recoveryOS into letting you in. If you click “Cancel” you will then be presented with an alert with options to “Show Startup Disk” or “Try Again”. If you choose “Show Startup Disk” and then simply QUIT Startup Disk, you will proceed into ordinary recoveryOS after being passed through “KeyRecoveryAssist” as usual.
      
      Once I was in full recoveryOS I checked “sw_vers” in Terminal to be sure that I was in my 11.4 primary recoveryOS instead of my 11.3.1 fallback recoveryOS, which I was (since I DFU restore 11.3.1 again and upgraded it to 11.4 to be able check for this distinction with confidence). I then opened “Startup Security Utility” to confirm that I would get the usual alert when not in 1TR mode, which I did. And I doubly confirmed that “bputil” showed that I was in “ordinary recoveryOS”, which I was.
      
      It is worth noting as well that I was able to get to this point without passing through Startup Disk in full macOS at all, so the new private RecoveryOS.framework was at least not involved in this round of testing. I believe this solely had to do with some checks failing during the LLB or iBoot phases.
      
      After I rebooted within recoveryOS to get myself back myself automatically forced back to recoveryOS to get back to the original “Boot Recovery Assistant” prompt and authenticated with my internal drive users password, I got properly rebooted into full macOS on my external drive. After this one authentication, switching between the internal and external drive did not require authentication through ordinary primary recoveryOS again.
      
      To be able to force this situation, I had to DFU restore the Mac after having used it to install macOS on the external drive so that the internal drive had a new user that had never previously authenticated the installation on the external drive. This was tedious since I DFU restored 11.3.1 and then upgraded to 11.4 so that I could confirm a distinct difference between prOS and frOS. I repeated this process twice to be sure since once I authenticated I could not get myself back to “Boot Recovery Assistant”, which is a testament to how good external booting has gotten on Apple Silicon.
      
      Overall, switching between my external and internal drive worked seamlessly on my M1 Air and I had to work really hard to even be able to see this “Boot Recovery Assistant” window in recoveryOS. For reference, I am using this relatively cheap Sabrent M.2 NVMe enclosure (https://www.amazon.com/gp/product/B08RVC6F9Y) with the USB-C 3.2 cable that it came with and I have a Crucial P5 NVMe inside.
      
      LikeLiked by 1 person
    - 23
      
      hoakley on June 2, 2021 at 8:42 am
      
      Thank you.
      I’m not sure that is what I’m seeing! Every time I boot back from an external SSD to the internal, there’s an initial boot chime, then the Mac starts up in this limited Recovery Assistant which takes you through authentication for the new boot disk. At the end of that, you restart the Mac a second time and it boots normally from the internal disk.
      Full details tomorrow.
      Howard.
      
      LikeLike

·Comments are closed.

Share this:

Like this:

Related