hoakley February 20, 2023 Macs, Technology

macOS 13.2.1, authenticated restart and fdesetup

A small minority of users experienced something strange when they updated to macOS 13.2.1, or even 13.2. Instead of the updated macOS automatically returning them to the Finder and Desktop once the update was complete, it bounced the Mac into Recovery (or similar, if your Mac is managed) and asked for the password. This article explains what happened, and other accidents that can happen when updates don’t work right.

Like so much else, macOS updates aren’t what they used to be. There was a time when I used to count the number of startup chimes sounded during each update. Now everything is orderly, quiet, and on Apple silicon Macs in particular very quick. This relies partly on what’s known as an authenticated restart, sparing you from having to enter your password to unlock FileVault.

macOS 13.2.1 update

As Robert Hammen has proposed, what most probably happened at the end of the 13.2.1 (or 13.2 for some) update was that authenticated restart didn’t work properly. Instead of the updated macOS booting silently straight into the Finder, the Mac ended up in Recovery where the user had to authenticate to unlock FileVault. Once they had done that, the restart should have completed correctly, and that Mac resumed working normally.

Robert advises restarting that Mac, and if necessary installing the update again, within 30 minutes, if that’s offered. In most cases, though, the update should have succeeded and no further update will be available.

Failed macOS updates

This is different from what should happen when an update fails to install correctly. If the SSV can’t be built, mounted and booted successfully, that Mac should be returned to Recovery mode for a full reinstall of macOS. In the worst case, with a failed firmware update, Apple silicon Macs could be put into DFU mode awaiting connection from another Mac and emergency surgery using Apple Configurator 2 to refresh the firmware or perform a full restore.

The other serious consequence is that an Intel or Apple silicon Mac could get trapped in a boot loop, in which it suffers a panic whenever it tries to boot, and that results in a series of reboot-panic cycles. While that may appear alarming at the time, as it did to me the first time it happened here, the solution of choice is to press and hold the Power button to force the Mac to shut down. Wait at least 20 seconds, then try starting it up straight into Recovery.

These should all be very rare events, though. It remains to be seen whether the new update system is prone to failure of authenticated restart, or whether this proves to be a one-off glitch.

Apple uses authenticated restarts because they make updates more seamless. Now that an Apple silicon Mac can install a macOS update in just a few minutes, this final touch minimises their downtime and user interaction. They’re also highly secure: on Apple silicon and T2 Intel Macs, they’re handled by the Secure Enclave. The only significant difference there is that the token used to authorise them on Apple silicon models can only be used once.

`fdesetup`

Authenticated restarts are also available to the user, through the fdesetup command tool (the fde in its name referring to Full Disk Encryption). That tool is the utility provided for working with FileVault, and has many important and potentially dangerous verbs. Provided that FileVault is enabled on the current boot volume group, the command
sudo fdesetup authrestart -delayminutes 0
restarts the system immediately, bypassing the normal initial unlock. Before the restart can occur, you also have to provide the short username and password for a user entitled to unlock FileVault.

You can also use the tool to list users able to unlock FileVault:
sudo fdesetup list
or for more detail, including any iCloud Recovery Record:
sudo fdesetup list -extended

Two more things

Of course, macOS updates don’t just use an authenticated restart to appear so seamless. They also log the current user back in automatically, and temporarily mute the startup chime. As far as I’m aware, unlike authenticated restarts, those tricks aren’t made available to mere users.

Hopefully, when we update to macOS 13.3 there’ll be none of these shenanigans.

20Comments

Add yours

1

James on February 20, 2023 at 10:46 am

“Apple silicon Macs could be put into DFU mode awaiting connection from another Mac and emergency surgery using Apple Configurator 2 to refresh the firmware or perform a full restore.”

I still find the need for another Mac an irritating requirement. I don’t travel with two Macs and in some cases even finding another Mac to use could be difficult. They should also enable the ability to do this from a iPhone and iPad.

LikeLiked by 2 people
- 2
  
  hoakley on February 20, 2023 at 4:40 pm
  
  Well, it’s a world better than Intel Macs. If they get screwed up badly, the only place that can sort them out is an Apple store or authorised provider. What DFU mode brings is more, not less. It’s a bonus, not a penalty.
  Howard.
  
  LikeLike
  - 3
    
    Sebby on February 21, 2023 at 5:58 am
    
    I dunno. It’s great to have the option, sure, and it makes them practically unbrickable, which is terrific. But on the other hand, it’s still quite easy to mess up the internal SSD and 1TR with not too much effort, and Intel Macs could get you out of that, with Internet Recovery from firmware, when it actually works (which increasingly it doesn’t). Even then, often the problem turns out to be over-restrictive boot policy after a failed erase that would stop you external-booting by default to fix it, and putting it into Target Disk Mode would let you squirt a fresh and Apple-signed image onto it from any other Mac with asr to work around that. So, I think, six of one, half a dozen of the other.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on February 21, 2023 at 11:13 am
      
      Thank you. I’ll be writing more about this shortly.
      Howard.
      
      LikeLike
5

Simon on February 20, 2023 at 4:06 pm

> Now everything is orderly, quiet, and on Apple silicon Macs in particular very quick.

I cannot confirm that. This last little dot update took ~20 min to return my M1 Pro MBP to working order, despite 32 GB RAM. And that was *without* any of the above mentioned shenanigans. The update worked flawlessly, it just takes forever. It’s surprising to me how long updates take on iOS and now AS Macs. We have so much CPU power these days and the MBP’s flash easily pushes 6GB/s. IMHO these updates should take under a minute, not prompt us to go eat lunch.

LikeLiked by 1 person
- 6
  
  hoakley on February 20, 2023 at 4:46 pm
  
  Are you including preparation time, during which you can work perfectly normally?
  If not, and your Apple silicon Mac really did take that long to install the update, something clearly went wrong.
  I’d be interested to know how the installer can install what it needs, create the snapshot for the SSV, and compute and save its entire hash tree in less than a minute.
  You should find RSRs a lot quicker, though – and without any restart. It’s just that you can’t replace the kernel etc. with an RSR.
  Howard.
  
  LikeLike
7

Alan B on February 20, 2023 at 4:11 pm

Is it not possible to initialise the internal drive and install macOS on a ‘Silicon’ Mac via a bootable macOS installer on a USB drive?

LikeLiked by 1 person
- 8
  
  hoakley on February 20, 2023 at 4:48 pm
  
  Although it depends on what you mean by “initialise the internal drive”, essentially the answer is no. Apple silicon Macs don’t and can’t actually boot from a ‘bootable installer’. They always boot first from their internal SSD – that’s how they have Secure Boot.
  Howard.
  
  LikeLike
  - 9
    
    Alan B on February 20, 2023 at 4:56 pm
    
    As I suspected. Incidentally out of habit I do keep a bootable installer on a USB stick as I did when I only had Intel Macs.
    
    LikeLiked by 1 person
10

Simon Simpson on February 20, 2023 at 9:24 pm

I enjoyed this ‘little’ diversion when updating my iMac to Monterey 12.6, allegedly just a security update, but I found myself having to re-authenticate my password which raised my anxiety level (and blood pressure) somewhat. Hoping it won’t happen again…(?)

LikeLiked by 1 person
11

Sebby on February 21, 2023 at 6:12 am

Sorry, forgot to say what I actually came here to say! Concerning the meat of the article, and in particular Two More Things. Yes, we really need fdesetup to log us back in after restart in the fashion of updates. That’s the main reason running an encrypted server isn’t possible—sooner or later you’ll want to run some app that can only plausibly work in a logged-in session, and/or has no means of non-agent operation using proper system-wide launchd daemons. This would be an “easy win” if implemented, and would give Macs a clear head-and-shoulders advantage over most SFF server hardware. Encrypt your internal disk, encrypt your external SSDs for storage and backup—you could have an encrypted NAS. Put your email, calendars, contacts, etc in a VM running on top, and “the fuzz” can’t take it without a fight. Just imagine the possibilities …

LikeLiked by 1 person
- 12
  
  hoakley on February 21, 2023 at 11:14 am
  
  Thank you.
  A dedicated NAS is much cheaper and simpler, surely?
  Howard.
  
  LikeLike
  - 13
    
    Sebby on February 21, 2023 at 11:34 am
    
    Depends on what you want to do. For just a NAS, sure, many boxes out there (but, really, Synology, because reasons). If you wanted more powerful hardware for transcoding, more RAM for VMs, or what have you, a Mac does fill a need and it’s how I’m doing it myself, albeit, if I had a need for a great deal more storage than could fit into a dual-NVME enclosure, probably I would go the NAS route as well. I do wish that there were more hardware out there that would allow you to run your own OS on it, though. Mac comes close to that for many use cases, but something Linux-powered would be terrific. I just got myself a Linkstar H68K for use as a router, but there’s also MikroTik RouterOS-powered devices which are so close as to (almost) make no difference in flexibility. The chief obstacle to using macOS is that you need to run VMs to do things many NAS boxes can do natively, but on the other hand the chief advantage to running Macs is massive power efficiency for such small, low-profile machines, as long as you are happy with external storage and the benefits (really, conveniences) and limitations of the host OS. It’s an interesting dynamic.
    
    LikeLiked by 1 person
    - 14
      
      hoakley on February 21, 2023 at 3:25 pm
      
      I’m interested that you didn’t mention Asustor, who are now rivalling Synology.
      Howard.
      
      LikeLike
    - 15
      
      Sebby on February 21, 2023 at 6:20 pm
      
      Interesting … that’s a rather sudden ascendance; I think I’d heard of Asustor but they didn’t appear all that different to others, except for their hardware designs. No, to be honest I have no idea about the standing of various NAS brands, it just seemed that Synology had taken the crown, at least on the software side of it. But, good to see it has some worthy competition now!
      
      LikeLiked by 1 person
    - 16
      
      hoakley on February 21, 2023 at 8:19 pm
      
      Asustor was originally set up by Asus, and seems to have looked mainly to the PC market. More recently it has shown more interest in the Mac market. I have reviewed two of their 2-bay NAS over the last year or so, and they’re both excellent value for money and fine products. Synology remains excellent as ever, but it’s a shame about Qnap’s current problems.
      Howard.
      
      LikeLike
17

markbot2zero on February 23, 2023 at 12:21 am

Thank you, Howard.

If you ever get a moment, I’m curious how:

sudo fdesetup authrestart -delayminutes 0

compares to

sudo shutdown -r now

and

reboot

You wrote a nifty comparison of shutdown and reboot in 2018:

https://eclecticlight.co/2018/05/14/should-you-use-shutdown-or-reboot-in-the-command-line/

(I can tell you one thing: fdesetup’s man page is about ten times longer than the other two combined. It’s the longest I’ve ever seen. It should have its own man page, or maybe a “Reader’s Digest” version.)

I once read that when using the reboot command, one should do:

sync; sync; sync; reboot

But there is a discussion of that here:

https://unix.stackexchange.com/questions/5260/is-there-truth-to-the-philosophy-that-you-should-sync-sync-sync-sync

Apparently it’s a vestige of the days of tape drives:

“Old-timer here. Back in the glory days of TAPE, 3 rapid sync’s in a row was a way to tell the TAPE controllers to not just un-link/unspool the tape-stream, but to rewind it as well…”

Reminds me of a story of a husband who wondered why his wife always cut the meat in half before roasting it. She explained that she learned to do so from her mother and simply followed suit. So he asked his mother-in-law, the next time the family had dinner together, why she always halved the meat before roasting. And she told him that’s what *her* mother did.

Fortunately his wife’s grandmother was still alive and he was able, at the next holiday, to inquire of her why *she* always cut the roast in half.

“Because back then it was too big to fit in the oven,” she answered.

-Mark

LikeLiked by 1 person
- 18
  
  hoakley on February 23, 2023 at 6:14 pm
  
  Thank you.
  In terms of the restart, the result with fdesetup is similar to shutdown or reboot, as far as I can see. However, you’d only want to use it if you need an authenticated restart to save unlocking the FileVault volume. Otherwise it’s a long-winded and clumsy alternative.
  The extensive man page is because of all its FileVault features – it’s the master command tool for those.
  Howard.
  
  LikeLike
19

David Van De Meer on July 23, 2023 at 8:56 am

Hi, I wanted a simple way to initial a Filevault Restart on Macs so I created FilevaultReboot – https://github.com/dieskim/FilevaultReboot

LikeLiked by 1 person
- 20
  
  hoakley on July 23, 2023 at 4:09 pm
  
  Thank you.
  Howard.
  
  LikeLike