hoakley May 30, 2023 Macs, Technology

Apple’s big test of data integrity

Well over two years ago, when Apple released Big Sur, it started the largest test of data integrity ever undertaken on Macs, and quite possibly the largest on any personal computer, in the Signed System Volume (SSV). Over the period since 12 November 2020, every T2 and Apple silicon Mac that has booted Big Sur, Monterey or Ventura in default Full Security mode has verified every last bit of their 9 GB SSV.

Apple describes this process in its Platform Security Guide. During macOS installation or update, a tree of SHA-256 hashes is built for the snapshot made of the System volume. During the boot process, unless boot security has been downgraded from Full Security, the contents of that SSV are verified against its tree of hashes. In the event that they don’t match perfectly: “the startup process halts and the user is prompted to reinstall macOS”.

Because the SSV is a snapshot, APFS makes both its file system and all its data read-only to all other processes. However, errors in APFS could result in unintended changes to the snapshot, and it remains fully exposed to changes taking place below file system level, including ‘bit rot’. Those have commonly been ascribed to failures in the storage medium, and factors such as cosmic rays that have been claimed to be responsible for data corruption. Thus every T2 and Apple silicon Mac booting Big Sur or later in Full Security mode has contributed a measure of data integrity.

No one outside Apple knows exactly how many Macs have taken part in this large-scale test. Since the release of Big Sur, Apple has sold around 20 million Macs each year, all of which are running Big Sur or later. Many existing Intel Macs with T2 chips have also been upgraded to Big Sur or later. At the very least, macOS 11 or later must have been installed and run on tens of millions of Macs, possibly as many as 100 million in total. Even if most of those Macs aren’t booted daily, but left to sleep every night, each of them will have booted once for each macOS update or upgrade since installing Big Sur or later. In total, those Macs must have completed hundreds or even thousands of millions of verifications of their SSV.

Although I believe that I have heard of one user whose Mac didn’t complete a macOS update successfully, and was prompted to reinstall macOS, such events appear to have been exceptional in Big Sur and later. It certainly doesn’t appear to have occurred sufficiently frequently to become noticeable on popular internet discussion forums or support groups, although other problems updating macOS are often more widely reported. My own experience with a minimum of four different Macs is that I have never encountered a verification failure against the tree of hashes, nor has this ever occurred in any of the virtual machines in which I have macOS installed.

While these are anecdotal and not statistical, they’re worth putting into the context of comparable failures, such as those requiring replacement of the logic board. Since the release of the first M1 Macs, I have heard of several, but no more than a dozen, Apple silicon Macs that have undergone logic board replacement. In some of those cases, the repair may have been precautionary rather than the result of any discrete hardware failure. However, in my experience an Apple silicon Mac is more likely to require logic board replacement than it is to fail to verify its SSV against its tree of hashes. So while none of us can rule out data corruption due to cosmic rays and similar causes, the chance of that happening appears extremely remote, and probably the least of your concerns with modern Macs.

If you know otherwise, please don’t hesitate to let me know.

25Comments

Add yours

1

f d on May 30, 2023 at 7:21 am

> Although I believe that I have heard of one user whose Mac didn’t complete a macOS update successfully, and was prompted to reinstall macOS, such events appear to have been exceptional in Big Sur and later.

This — or something similar — happened to me during one of the Monterey updates on a pre-T2 Intel iMac. After the update, the machine wouldn’t boot. I had to reinstall the OS from a USB stick. Data was all still there after the reinstall, so I guessed the problem was an integrity issue with the update.

LikeLiked by 1 person
- 2
  
  hoakley on May 30, 2023 at 4:51 pm
  
  I have deliberately not involved non-T2 Intel Macs, because, although they do apparently validate the signature on the SSV, they may not validate the whole hash tree in the same way. Apple unfortunately doesn’t describe this in the Platform Security Guide.
  My understanding of what happens if validation fails is that the Mac should start up in Recovery, so I’m not sure that your event was a failure to validate – indeed, the whole update might simply have aborted without even trying to boot.
  Howard.
  
  LikeLike
3

Enzo Vincenzo on May 30, 2023 at 7:30 am

Dear Howard, thank you!
At the beginning of Mac OS X I was lucky enough to come across David Pogue’s books “The missing manual…” which introduced me to the secrets of OS X.
Now, for some time now, my reference has been you and your WEB site and I don’t know if there are others in which to deepen and understand what is at the foundation of the Mac.
This one of mine does not want to be a sweetie!
I thank you with my heart!
Vincent

LikeLiked by 1 person
- 4
  
  hoakley on May 30, 2023 at 4:51 pm
  
  Thank you.
  Howard.
  
  LikeLiked by 1 person
5

Duncan on May 30, 2023 at 12:46 pm

Thank you for putting this all in perspective. While I am one of the more vocal users calling for Apple to implement user-data integrity checks, the numbers you’ve put forth in this article imply that the potential risks are indeed quite minimal.

I am curious about one detail, nonetheless. You wrote:

“During the boot process, unless boot security has been downgraded from Full Security, the contents of that SSV are verified against its tree of hashes.”

Is that to say that during each system boot, every (digital) bit of the SSV is verified? How much extra time does that add to the boot process?

LikeLiked by 1 person
- 6
  
  hoakley on May 30, 2023 at 4:56 pm
  
  This is the ingenious part: verification carries little overhead, as it runs as a rolling process once the top-level ‘seal’ has been verified. So verification is a continuous process as the SSV is mounted and accessed.
  Howard.
  
  LikeLike
7

markbot2zero on May 30, 2023 at 3:49 pm

Thank you, Howard.

re: “Thus every T2 and Apple silicon Mac booting Big Sur or later in Full Security mode has contributed a measure of data integrity.”

Evidently non-T2 Intel Macs behave differently. If you have a moment, could you elaborate on the difference, or perhaps refer me to one of your articles where you already have done so? I couldn’t tell from the “Platform Security Guide, and a search of articles.

Comment:

Inasmuch as macOS is protected against “bit rot” as you have explained above, the actual damage done by errant cosmic rays, unlikely as it is, will probably be to user files. (Assuming the rays act randomly and are not malevolently AI infused, e.g., through contact with ChatGPT.)

In my experience, the vast majority of Mac storage space is taken up by movies, music, pictures and books. If any of these, against all odds, gets a bit tweaked, it probably won’t even be noticeable.

Finally, thank you for so generously providing your “intch” set of utilities*, so that anyone still concerned about file integrity can take precautions against its occurrence.

-Mark

* I’m referring here to Howard’s Dintch, Fintch & cintch utilities.

LikeLiked by 1 person
- 8
  
  hoakley on May 30, 2023 at 5:05 pm
  
  “Evidently non-T2 Intel Macs behave differently”
  Well, they have to, because they don’t have a secure enclave or SEP. Unfortunately, in the Platform Security Guide, Apple describes how T2 Intel and Apple silicon Macs handle this, but not non-T2 Intel Macs. I understand that non-T2 models do still validate the top-level hash, or ‘seal’, but how that works, and what happens if there’s a failure of validation, I simply don’t know.
  Howard.
  
  LikeLike
9

Ron Gomes on May 30, 2023 at 4:36 pm

“During the boot process, unless boot security has been downgraded from Full Security, the contents of that SSV are verified against its tree of hashes.”

This is news to me. I have to run with reduced security because Rogue Amoeba’s audio requires it (oddly, even though their audio capture engine is implemented as a system extension and not a kernel extension). So you’re saying that in this mode I’m not getting the verification advantage of the SSV? That the Mac might boot successfully even in the presence of system corruption?

LikeLiked by 1 person
- 10
  
  hoakley on May 30, 2023 at 5:15 pm
  
  “So you’re saying that in this mode I’m not getting the verification advantage of the SSV?”
  No, I’m saying that in Full Security, the contents are fully verified. Below that are two levels of reduced security, and the rules for those are spelled out in detail in the Platform Security Guide, to which I refer you. I believe that in your case, your Mac should still perform full verification. What I needed to do here was to exclude both forms of reduced security because of their added complexity. This article is about the consequences of Full Security mode, not the differences between the three modes.
  Howard.
  
  LikeLike
11

bdmarsh on May 30, 2023 at 5:31 pm

I haven’t had this happen on our work computers (yet).
But I did, over a year ago, have a client with a M1 Mac mini that failed to boot after an OS update that went wrong (Big Sur likely) – It wouldn’t boot – would just shut down again and it couldn’t properly go into the recovery mode to re-install nicely (not sure why, tried at least a couple of times before giving up).
That was when I had to build my first external Apple Silicon boot disk on my own personal M1 Mac mini to then boot the clients Mac and do a copy of the data partition and re-install booted from the external. It’s been long enough I don’t remember specific details – just generally finding it weird.

I was glad it wasn’t a T2 based Mac or I wouldn’t have been able to boot from external.

LikeLiked by 1 person
- 12
  
  hoakley on May 30, 2023 at 5:40 pm
  
  I has a similar experience with an early M1 and Big Sur: I put it into DFU mode and refreshed its firmware. It then booted perfectly. I suspect that some of the first releases of Big Sur were a bit like that!
  Howard.
  
  LikeLike
13

deviantintegral on May 31, 2023 at 11:55 pm

Thanks for writing this up, it’s an interesting topic for sure.

I once got an SSV error on my 2019 Intel MBP (T2). A notification came up in notification centre, and then the laptop rebooted. Well, if you can call usually crash looping early in boot “booting”.

When I took it in for repair, I suggested to the tech it may have been the flash. It turned out to be faulty RAM. They had to replace the whole board anyways, so not much of a difference for me.

The point being, stronger data verification can detect the existence of errors in much more than just the flash. On my NAS, I had ZFS checksum errors due to a bad SATA cable.

With Apple’s current implementation, it’s only verifying signatures of blocks that are read, and not the whole system volume. Though, I imagine it has to do a full check as a part of OS upgrades. I wonder how long the RAM in my system was failing for, and if I have silent data corruption (even in my backups!) I’m not aware of.

Yet, I think Apple’s numbers show that such failures are likely so catastrophic that they are immediately noticed, and not worth the effort and performance hit of full checksums. I hope one day they release a paper on this, similar to how Google did on their experiences showing that bit flips were common in their case.

LikeLiked by 1 person
- 14
  
  hoakley on June 1, 2023 at 9:06 am
  
  Thank you.
  “A notification came up in notification centre”
  So this was a post-boot error? But I’m confused, because you then refer to what I think is boot-looping?
  Howard.
  
  LikeLike
15

deviantintegral on June 1, 2023 at 12:37 pm

Right. I was in the middle of a work day, using my laptop, when the error came up. Then, it started to boot loop.

Unfortunately, I can’t find an example of the notification, and because it rebooted automatically I couldn’t take a picture in time.

LikeLiked by 1 person
16

kapitainsky on June 3, 2023 at 11:06 am

It is interesting example to demonstrate rarity of read data errors. And it made me think:) and try to turn it into some numbers.

Yes data corruption errors are not hiding behind every corner and should not cause sleepless nights for worrying users. However it is good to understand that data corruption is real and depending on amount of data and workflows can affect some users more than others.

First and most obvious source of disk read errors is the nature of storage media. Mechanical or SSD both suffer from URE (Unreadable Read Errors). Good thing is that it is number all reputable disk manufacturers include in their specifications. Its range is between 1E-14 for cheap mechanical drives to 1E-17 for high end enterprise SSDs. It tells us what is the chance that read bit can not be returned to OS with correct value – disk read errors happen very often (all the time actually) but very clever disk controllers error correction algorithms correct them on the fly.

Now if we assume that Apple computer SSD has 1E-16 error rate (Apple does not make public this value) and SSV is 10GB – it is eighty billion bits.
The chance of successfully reading 10GB is (1 – 1/1E16) to the 80 billionth power, or 99.99991 percent, or conversely a 0.00009 percent chance of failure. It means that statistically SVV error happens once per million reboots. Much less if Apple SSD is even better quality. In addition there are many more factors affecting URE e.g. it is much less for new drive and will increase when drive ages.

But it is for 10GB on high quality small capacity internal SSD. Things deteriorate very quickly if we connect 20TB external mechanical disk. On such disk random error will happen statistically every few times we read all data. This is where everybody should start thinking about using file system able to at least detect corruptions.

There are many other sources of disk data corruption than URE. Latest OS update can have rare bug, data is read to memory (no ECC) and written back, there might be some trivial problems like faulty connector.

Lastly as Howard clearly makes fun of cosmic rays caused problems here we are study made by Google:

Click to access 35162.pdf

Memory errors are real. The same like with disks it is all probability game. If I have 16GB or RAM and light usage chances are small. It can dangerously change if I have 1.5TB of RAM and run memory intensive workloads (it is btw max Mac Pro supports but it uses exclusively ECC RAM).

So I think it is true that most mac users should not worry too much about their pictures being corrupted by space rays. Still I think it is big omission on Apple side not to include in APFS data checksuming. It would give people pushing their workstations to the limit more secure feeling at least.

LikeLiked by 1 person
- 17
  
  kapitainsky on June 3, 2023 at 11:17 am
  
  Other thing was how often people reboot their laptops? I did quick friends survey:) None of them turn laptop off. 100% just close the lid when going to do something else than staring at the screen. So in this small group laptops reboots only few times a year.
  
  LikeLiked by 1 person
  - 18
    
    hoakley on June 3, 2023 at 8:34 pm
    
    Thank you. I do address that in the article above: the pattern between notebooks and desktops is different, but at the very least every Mac reboots macOS following each macOS update. Although I keep my iMac Pro running 24/7, I do restart it every couple of weeks or so, and it does get shut down during periods of electrical storms and other severe weather. At the other extreme, many desktop users shut their Macs down at the end of the working day, and start them up in the morning.
    Howard.
    
    LikeLike
- 19
  
  hoakley on June 3, 2023 at 8:29 pm
  
  “Howard clearly makes fun of cosmic rays”
  I make fun of bad science. Absolutely nothing here comes close to being the careful objective study that should be undertaken in any scientific discipline. We have a handful of relatively weak observational studies made on computer systems very different to modern ones, and everyone rushes out and hysterically insists that they must have ECC memory. Unsurprisingly, the computer industry is only too willing to charge us extra for the privilege. Maybe paying more money gives some people that more secure “feeling” too.
  Evidence-based and rational decision-making and cost-benefit analysis should be the rules of the day.
  Howard.
  
  LikeLiked by 1 person
20

markbot2zero on June 3, 2023 at 4:20 pm

Dear Kapitainsky,

First of all, thank you for your thought provoking contributions, not just in this comment thread but elsewhere on Eclecticlight.co

The article you posted:

1) was published in 2009

2) is about RAM, not SSD

3) two of the three articles which reference cosmic rays date from 1979; the other from 1996.

One wonders how much things may have changed in the last fourteen years, and whether today’s SSD has the same error profile as the DRAM studied in the article.

I don’t worry about cosmic rays (or about data integrity in general for that matter) but the manner in which they could corrupt RAM or SSD would be a fascinating study, presumably at the level of the microcircuits.

-Mark

P.S. I was always under the impression that cold booting any computer (which has been turned off for more than a few hours) stresses the electronics, so it is better to leave them on. I tell my clients to always let a device which has been turned off and left in the cold (i.e., in wintertime in a car) to come to room temperature before starting it. Back in the days of the early PCs, IBM suggested leaving them on all the time. Then again, I’ve never heard of a computer dying because it was cold booted too often. Personal computer systems have always been remarkably robust.

LikeLiked by 2 people
- 21
  
  kapitainsky on June 3, 2023 at 5:02 pm
  
  Thank you. Yes I actually posted it in relation to RAM which can contribute to data corruption on disk. Sorry if I did not make it clear enough. English is not my mother tongue and sometimes I think faster than write – both factor contribute to some problems with communication:).
  
  Yes also that it is not study from 2020s but studies like these are not easy to find. And I do not think that RAM technology changed much in principle. If yes that we are talking about ongoing miniaturisation and increased cells density – and it make matter even worse. The latest high capacity DDR5 start using ECC internally (on-die) as RAM – they can work with CPU/SOC not supporting ECC – majority of computers nowadays. We also made massive progress in terms of error correction algorithms. It is still very active area of research but we are reaching theoretical limits:
  
  https://en.wikipedia.org/wiki/Low-density_parity-check_code
  
  Latest error corrections algorithms implementations take into account things like “probabilities and likelihoods of belief” – which sounds like phrase from some esoteric literature:) It is what powers modern SSDs and 20TB HDDs.
  
  Re cosmic ray risk very interesting fact is that any space equipment for exactly this reason is using rather old electronics components – e.g. Perseverance rover on Mars is run by PowerPC 750, a single-core, 233MHz (the same as Mac in 1998). Bigger gates, cells etc. make it much less sensitive to “cosmic rays”.
  
  LikeLiked by 1 person
  - 22
    
    hoakley on June 3, 2023 at 8:44 pm
    
    “studies like these are not easy to find”
    That says it all to me. There’s precious little evidence, yet a lot of money spent on ECC memory.
    “Bigger gates, cells etc. make it much less sensitive to “cosmic rays”.”
    As I have written elsewhere, larger surface area would also make it more likely to be ‘struck’ by a cosmic ray. If you don’t take that into account, and can’t accurately quantify ‘sensitivity’ all you’re doing is guessing.
    Howard.
    
    LikeLiked by 1 person
23

kapitainsky on June 7, 2023 at 11:08 am

Today friend of mine contacted me about his laptop problem…

Good that system files have integrity protection. If it was in his holiday pictures nobody will notice:)

LikeLiked by 1 person
- 24
  
  hoakley on June 7, 2023 at 12:31 pm
  
  Thank you.
  That’s a fascinating notification. I don’t think that’s in the SSV, as it refers to a volume hash, not the hash in the mounted system snapshot. It would be interesting to know where that was.
  Howard.
  
  LikeLiked by 1 person
  - 25
    
    kapitainsky on June 7, 2023 at 12:53 pm
    
    me too. unfortunately re-install with disk wipe is already done. What is interesting that after this error computer rebooted without any issues. So it could be just memory error.
    
    LikeLiked by 1 person