hoakley September 3, 2022 Macs, Technology

Does a macOS update change the Data volume?

Updating macOS is widely held responsible for all manner of problems. If you’re unlucky and a firmware update turns sour, or your Mac’s internal storage gets scrambled completely, then that’s fair cause. But since Big Sur, with the introduction of the SSV (signed and sealed System Volume), updates should have become extremely reliable. Yet users still report problems.

While traditional macOS updates were fairly simple to understand, these modern updates are more complex. But however they achieve it, at the end the snapshot your system runs from has to be bit-perfect. At least on T2 and Apple silicon Macs, every byte in that snapshot is checked against a tree of cryptographic hashes, and only if the Seal at the top matches that prescribed by Apple will that system be bootable.

Most of the problems experience by users, though, are more likely to be attributable to changes or errors in the Data volume, which isn’t sealed. What’s confusing here is that Apple’s official word is that a modern update doesn’t alter the file system or data on the Data volume. In its Platform Security Guide, Apple states: “Finally, the user’s data volume is never mounted during a software update, to help prevent anything being read from or written to that volume during updates.”

With a verifiably perfect System volume and firmware, if the Data volume has remained unmounted during the update, what could possibly have changed? The answer lies in what really does happen during a macOS update.

Big Sur and Monterey run almost all their system software from the mounted snapshot of the System volume, but not everything can be installed there. Among the most notable exceptions are Safari and various CoreServices.

In the Finder, select one of the apps bundled with macOS, such as Reminders, and open a Get Info dialog on it. Its path is shown as being in
Macintosh HD/System/Applications, which locates it within the System volume, and the SSV. Repeat that with one of your own apps, and the path given is different, such as Macintosh HD/Applications, which is located on the Data volume. Now inspect Safari, and you’ll find it on the Data volume as well.

If the Data volume were literally never mounted during the whole of a macOS update, then the only components in Safari that could be updated are those on the System volume, particularly WebKit and its supporting frameworks, and the app itself couldn’t be changed or replaced. Another common observation during Big Sur and some Monterey updates is that some install an older version of security data files, which are found in the path Macintosh HD/Library/Apple/System/Library/CoreServices, firmly on the Data volume. This similarly applies to Rosetta 2.

What I think Apple means by that sentence is that the Data volume is unmounted during installation of files on the System volume, and generation of the SSV. But once that phase of update installation has completed, and the update process comes to install system components on the Data volume, that volume has to be mounted. Maybe it’s at that point that troubles begin for some Macs.

This could also explain why installing or re-installing macOS can still fix problems, even though the SSV generated is absolutely identical. As its cryptographic hash tree doesn’t extend across firmlinks to the Data volume, there’s no guarantee that’s perfect in the folders that contain parts of the system.

Ventura is set to change this again, with its support for what Apple calls Rapid Security Response, in which patch updates can be saved to protected storage on the Preboot volume. These are cryptex disk images, cryptographically sealed extensions, where Safari will be stored in the future. It may then be possible for the whole of a macOS update to complete before the Data volume is mounted. Then we’ll have to devise another universal panacea for all those problems which can occur after a macOS update.

6Comments

Add yours

1

Zorin on September 3, 2022 at 2:30 pm

Apple used to have MacOS take an APFS snapshot before the update, allowing you to very easily roll back to it if something went wrong with the update.

They stopped doing this at one point, which was sad. It would be so easy to do, too; snapshot the data volume, and simply KEEP the previous boot snapshot from the boot volume. Then just a few clicks in MacOS recovery could bring the system back to the previous OS.

I have to wonder why they took out such a useful feature.

LikeLiked by 1 person
- 2
  
  hoakley on September 3, 2022 at 3:48 pm
  
  I think you’ll find that was before Big Sur, and it applied to the System volume, not the Data volume (which has snapshots made by Time Machine, or the user, freely available anyway).
  There are loads of problems with doing that with the SSV used from Big Sur onwards. First, the space required, which for a major update (the most important case) would be over 10 GB. Second, the problem with the fact that the SSV is signed and sealed, so that would have to preserve the whole of the previous SSV. Third, working out how you could roll back to that previous snapshot anyway. It really isn’t a matter of “a few clicks”, I’m afraid, particularly on Apple silicon.
  In any case, the problem isn’t rolling back to the previous SSV – all you need for that is the previous macOS installer and that can do that much more reliably – but rolling back the System, Data, PreBoot and Recovery volumes all at once. Apple silicon Macs have a very good way of going that and rolling back the firmware too, in the restore process in DFU mode. And that really is a magic feature which is proving its worth every day on many Macs.
  Howard.
  
  LikeLike
3

Duncan on September 3, 2022 at 2:34 pm

For those using Carbon Copy Cloner, when doing a ‘whole disk’ clone the only bundled Apple app to show up in the clone’s Applications folder is Safari (mixed in with all the user’s own apps). I also have Numbers.app in mine (an optional app), carried over by Migration Assistant from a previous install.

CCC omits all the other bundled apps from the clone, as those can be recovered from the re-install process if necessary, and wouldn’t serve any purpose from a clone/backup anyway as there’d be no way to copy them back to the SSV.

LikeLiked by 1 person
- 4
  
  hoakley on September 3, 2022 at 3:50 pm
  
  Thank you. That’s because (unless you opt for the ‘total clone’, which is no longer encouraged) CCC only clones the Data volume, and not the System volume. Apart from Safari, all the bundled apps are in the System volume, so aren’t included in the cloning.
  Howard.
  
  LikeLiked by 1 person
5

Sebby on September 6, 2022 at 10:28 pm

Mmm, I think the substance of the updates is probably still the biggest issue. Whether it really matters that they’re fully protected when one cannot really do anything about it when they go wrong is probably an open question, the answer being dependent mostly on the sentiments of the answerer. For instance, my iMac 2020’s Ethernet controller now routinely stops sending or receiving packets a few days after a reboot, and only another reboot fixes it. This was introduced in a recent minor Monterey update. Can I realistically hope to fix that situation myself? Probably not, so the seal doesn’t represent a problem, in the sense that it doesn’t stop me from taking action. Would it be useful to do so, for instance by using an older version of the kext, or one installed elsewhere in the system or on the data volume? Sure, if it were possible and I knew how to do it, but that’s clearly not what Apple has in mind. For all practical purposes the sealed system volume is storage that’s no longer a user concern, and as with iOS, is simply above any consideration for rectification; either it worked or it didn’t. That’s great for super reliability of the update process itself and for keeping backups small, but now you’ve lost control over the system software, which isn’t a part of the whole system but maintained separately from your data. It’s great, in other words, until you need an escape hatch. This is obviously most noticeable with clones of Apple Silicon Macs where the cost of producing one is so high that it’s realistically not done, and you simply have to update your clones as you update your live system. The data volume, by contrast, is now easier than ever to migrate from and to, you can even do it manually if you want. If an update does somehow go horribly wrong and ruin your data volume, it’s probably ultimately recoverable because the process is very predictable and, as you say, only Safari and downloaded assets are stored there and can be trivially skipped or avoided during transition. So I don’t know that the “worst case scenario” is damage to the data volume, if ever it was, other than some truly horrendous bug, perhaps in the file system code. It’s probably the contents of the updates themselves. No doubt it’s great to see even more going under the seal in Ventura, but I’m worried about the quality of those updates.

LikeLiked by 1 person
- 6
  
  hoakley on September 7, 2022 at 6:58 am
  
  Thank you.
  Then your only solution is not to update, with all the vulnerabilities that leaves open, etc.
  Howard.
  
  LikeLike

·Comments are closed.

Share this:

Like this:

Related