Last Week on My Mac: The slim hope of recovery

Don’t be put off by its title: Apple Platform Security Guide is mandatory reading for all advanced Mac Users, and the only way we get to learn about important details of macOS, iCloud, and much else.

Its annual revision was published late last week, inappropriately on Friday 13th. While I still have a great deal more to read, my attention was drawn to an important change in M1 recoveryOS with external boot disks. What I read horrified me, as not only has it not been explained in user documentation, but what’s written in this Guide is incorrect.

Although Secure Boot on M1 series Macs has similarities with that on T2 Macs, how the two architectures handle booting from external disks is quite different. From the outset T2 Macs don’t really want to do that, and you have to enable it using Startup Security Utility in Recovery Mode. M1 series Macs are more accommodating, and have an elaborate system of LocalPolicy to enable them to boot from external disks without that hassle. One good reason for wanting to do that is when you sometimes need to run your M1 Mac at reduced security so it can load third-party kernel extensions (kexts), something a T2 has few qualms about. To do that on your M1 Mac, you’ll need to boot it in recoveryOS and use its Startup Security Utility to reduce security and to enable the loading of third-party kexts.

This has changed from Big Sur to Monterey, as reflected in new instructions included in this latest edition of the Guide.

This comes about because M1 Recovery has changed too. In Big Sur, whenever you boot into primary recoveryOS, that uses a dedicated container on the internal SSD. In Monterey, primary recoveryOS is now a paired volume in the current boot volume group, much as it is in all Intel Macs. I documented this change here, and so far it not only works better, but it ensures that Recovery Mode is that intended for the system your Mac is booted from, a big step forward.

This is explained clearly in this updated Guide, but there’s an important addition which could explain why some users have had problems with external boot disks in Monterey. Let me quote the exact words:
“To boot into a paired recoveryOS for any macOS installation, that installation needs to be selected as the default, which is done using Startup Disk in System Preferences or by starting any recoveryOS and holding Option while selecting a volume.”
I have added emphasis to the key words here, which refer to making a boot volume group “the default”.

What’s most troubling is that neither of the procedures mentioned explicitly do that, as far as the user is concerned, and the latter is in complete contrast to the way that Intel Macs work.

startupdisk

First, the Startup Disk pane on M1 series Macs is identical in appearance and function to that on Intel Macs. Once you’ve authenticated, select the disk (boot volume group) you want your Mac to start up from, and click its Restart… button. Nowhere is there any mention of making that boot disk “the default”.

If that isn’t confusing enough, try it in Recovery. If you follow the procedure given in the Guide, all you’ll see is a Continue button, not the button labelled Always Use, which presumably makes that boot volume group “the default”. In order to see that displayed, the procedure required is subtly different: you have to select the boot disk icon first, then hold the Option key until the button below it changes to Always Use.

That procedure has puzzled some of us since it first appeared in Big Sur, as we couldn’t understand the difference between always using a boot volume group, and restarting using it. As far as the user is concerned, the effect is identical, and the same as when used on an Intel Mac. This mystery deepens, as that isn’t the only place that M1 Recovery Mode lets you change the boot volume group, although it is the only one which employs the words “Always Use”.

If, instead of making your choice of boot disk in the first Recovery screen, you select Options to show the main Recovery menu, you’ll see another option in the Apple menu there, the command Startup Disk…, which displays a dialog not unlike that in the Startup Disk pane in regular macOS, which has a different button labelled simply Restart…. Are you confused yet?

The importance of this is that, according to this latest edition of the Guide, if you don’t boot correctly from the paired recoveryOS for the boot volume group whose boot security you want to change, any changes made in Startup Security Utility may not take properly. Indeed, several of us have experienced problems trying to get a downgraded copy of macOS on an external disk to load third-party kexts. Could this be the result of our not setting that boot volume group as “the default”?

Look in any of Apple’s user documentation such as its guide to M1 Recovery Mode and you won’t see any of this mentioned, let alone explained. The only other place that I’ve found any reference to this is, as you’d expect, in man bputil, where it states:
“Every installation of macOS 12 is paired to a recoveryOS stored on the corresponding APFS volume group. If a macOS 12 installation is selected to boot by default, then its paired recoveryOS will be booted by holding down the power key at boot time. The paired recoveryOS can downgrade security settings for the paired macOS installation, but not any other macOS installation.”
Strangely, that man page is dated 1 September 2020, although that change wasn’t introduced until a year later with Monterey.

What the Guide says currently is incorrect at the least. If M1 Recovery Mode really does have two different ways of selecting the boot volume group to be used next, their differences need to be explained properly and not left to inference and guesswork. Users, who are hardly likely to pore over the Guide or study bputil’s man page, need clear explanation of how they should start their M1 Macs from an external boot disk, how its local Recovery system is paired to it, and how to use Startup Security Utility effectively.

Finally, macOS Monterey 12.0.1 was released on 25 October 2021. This new version of the Guide was published on 13 May 2022, over six months later.

I’m very grateful to @mikeymikey for drawing my attention to this.

9Comments

Add yours

1

Joey Jay on May 15, 2022 at 12:36 pm

Thank you for this information. It reflects my frustration with trying to get 3rd party kernel extensions running on an external installation of macOS.

Perhaps by “default” they mean you have to boot into the external volume once before you can go back and change the security settings for it. Have you found that the external volume boots automatically without intervention after a restart?

It sounds like Apple’s goal here is to keep booting the internal drive by default )for security reasons) unless you specify otherwise using the Option key to choose “Always Use” (thus changing the external drive to being the default). This would match the terminology and procedure when right-clicking a file and choosing an App to open it with the option to “Always Use” that App going forward. However the documentation perhaps has not yet caught up with the specifics. It’s very common for coders, designers, documentation writers, and software engineers to get out of sync, especially on lesser-used features that don’t get noticed or reported by very many people.

LikeLiked by 1 person
- 2
  
  hoakley on May 15, 2022 at 12:49 pm
  
  Thank you.
  The Platform Security Guide – the only place where this is described other than in man bputil – explicitly (if incorrectly!) describes what it means by making the external boot disk the default, as I have quoted above.
  What it doesn’t explain is what ‘Always Use’ means in practice. Whenever and however you change the boot disk and restart, your Mac always boots into the new boot disk, and continues doing so until you change it again. That’s identical behaviour in Intel and M1 Macs. It doesn’t actually mean always use, either – it simply means use it until it’s changed, which is exactly what all three of the controls do.
  Yes, when you change boot disk, you should always let your Mac boot normally into the new boot system before trying to enter Recovery Mode for that boot disk. But that isn’t described as being necessary in either the Guide or man bputil.
  As this change was introduced in the Monterey betas last summer, and was partially documented pre-release in man bputil, Apple should have explained this properly to users with the release of 12.0.1 last year.
  Howard.
  
  LikeLike
  - 3
    
    Joey Jay on May 15, 2022 at 12:58 pm
    
    Agreed.
    
    I have a feeling that since the “Always Use” feature is starting to show up, but not yet implemented, simply means Apple intends on automatically reverting to booting from the internal disk on the next restart unless this option is specifically chosen.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on May 15, 2022 at 7:32 pm
      
      Thank you.
      I don’t think that’s going to happen, as it would make external boot disks essentially useless. Apple has invested a lot of engineering effort in making them easier to use within Secure Boot, than with T2 Macs. I think you can rest assured that your Mac will continue to boot from its external disk until you change that setting.
      Howard.
      
      LikeLiked by 1 person
5

Joey Jay on May 15, 2022 at 1:00 pm

By making the system automatically restart from the internal disk after it has booted from an external disk, it avoids the problem of a system hanging when attempting to restart… after a user has started from an external disk and then shuts down and removes that external disk.

LikeLiked by 1 person
- 6
  
  hoakley on May 15, 2022 at 7:36 pm
  
  Thank you. I had thought this bug was resolved now.
  It’s actually a much greater challenge for an Intel Mac, which has to be able to complete its whole boot process from just firmware and the selected boot disk, internal or external.
  An M1 Mac has the advantage that much of its boot process has to take place from its internal storage, where things like LocalPolicy are saved to disk. So if it can’t find a designated external boot disk, it can readily continue to boot from its internal SSD, to which it already has access.
  So there’s no excuse for an M1 Mac crashing or looping if it can’t find an expected external boot disk.
  Howard.
  
  LikeLiked by 1 person
7

platyhsu on May 16, 2022 at 6:28 am

Thank you for the article. I find it disappointing that Apple keeps revealing important caveats piecemeal in various manuals and whitepapers like this, as though they would users not learn about them systematically. Are you aware if there’s a portal/catalog, or at least a convenient way to keep track, of PDF format documentations they’ve published over time? Thanks.

LikeLiked by 2 people
- 8
  
  hoakley on May 16, 2022 at 8:35 am
  
  Apple doesn’t appear to maintain any such lists. At one time it even announced recent tech notes and the like, but doesn’t do that any more.
  Life would be so much easier…
  Howard.
  
  LikeLiked by 1 person
9

Michael Tsai - Blog - Apple Platform Security Guide (May 2022) on May 16, 2022 at 8:22 pm

[…] Howard Oakley: […]

LikeLiked by 1 person

Share this:

Related