hoakley September 15, 2023 Macs, Technology

Why cloning a System volume isn’t a good idea any more

For the whole of Mac OS X until Mojave, the system booted from its firmware into a single boot volume, containing a fairly traditional mixture of system and user files. As with most boot volumes, this made it difficult to protect system files that shouldn’t change between macOS updates, and to detect whether changes have occurred in them, whether by corruption or maliciously. Apple introduced System Integrity Protection (SIP) in 2015 (El Capitan) to try to address the first of those, but it has limited effectiveness and can’t detect changes at all.

When designing the architecture to be used in Apple silicon Macs, Apple decided that they should have a secure boot process, in which each stage hands over to code that has already been verified as intact and correct. This chain of verification starts in the Boot ROM, which verifies the next stage, the Low-Level Bootloader (LLB), before loading it, and that then proceeds to iBoot, which has the task of verifying the System.

For the smaller chunks of code and data that compose each part of the boot process before the kernel, it’s efficient to compute a hash of its code and compare that against what it should be, but that isn’t a good approach to verifying the 9 GB or so required for the system itself. To handle that, Apple chose to build a tree of hashes instead. Out at its leaves are individual files in the system, each hashed in a group to provide a set of intermediate hashes. Those in turn are hashed in groups, until at the top of the tree is a master hash of the hashes below it. That master hash is known as the seal, and is hashed again to produce a key for the whole system, its signature.

To verify the whole System volume at its top level, all that’s required is to ensure that its signature matches that set by Apple for that version of macOS. Then, as the volume is accessed, the system verifies the hashes further into the tree towards its leaves as necessary.

Because this integrity checking is also required for security, Apple chose to use cryptographic hashes rather than the checksums more commonly used in file systems. APFS already uses Fletcher 64 checksums for file system metadata, but those aren’t robust enough to protect against deliberate attack, and wouldn’t work as efficiently as a tree of hashes.

The final twist applied for the Signed System Volume used for the kernel boot process is that it’s turned into an immutable snapshot before the tree of hashes is built and stored in its metadata.

Another important feature of the System and Data volumes is their union using firmlinks, which effectively join their two directory trees at several points so they can be seen and accessed as if they were a single volume.

Thus, the boot volume group introduced in Big Sur is a far more complex beast than the previous single boot volume used in Mojave and earlier; Catalina acted as an intermediate in the process of migrating to this new architecture, in that it has the volume structure but the System volume is mounted read-only and not a mounted snapshot.

Making an identical copy of a single boot volume using ‘cloning’ isn’t a particularly difficult task, and many of us used to do this routinely. One neat cloning trick was to use this as a method of defragmenting free space: clone your boot volume to another disk, and clone it back again. However you try to do that with a new boot volume group, there are snags and problems. Currently, the only way you could do it is using the command tool asr, or an app like Carbon Copy Cloner or SuperDuper! that forms a wrapper for that command. If you want to know how to do that, this account is well worth reading before you make any decision.

asr has some magical capabilities, such as being able to copy a snapshot, many of which can’t be achieved any other way. It’s also prone to failure, in which case the only solution is to install a new copy of macOS.

That brings me back to the best solution: rather than trying to clone a boot volume group in Big Sur or later, isn’t it far simpler and more reliable simply to install macOS and migrate from the Data volume?

Finally, many of you ask when Apple is going to make cloning the boot volume group easier again. The answer, I believe, is never, and in the future even cloning using asr may well disappear altogether. It’s now almost four years since Apple released Catalina and started down the road to Secure Boot and the Signed System Volume. It’s hardly going to want to step back and throw all the benefits away. You should also consider other ways of creating identical systems, such as lightweight virtual machines, that can be cloned in an instant and don’t even take much free disk space.

25Comments

Add yours

1

EcleX on September 15, 2023 at 7:04 am

Thanks for the interesting article. In order to somehow duplicate the disk contents, and given what you have explained in the article, what is best, to use Carbon Copy Cloner/SuperDuper to make a full backup of a booting disk (except system) and then in stall macOS in such destination disk to make it bootable, or do it the other way (first install macOS and then use CCC/SD to make the backup)?

LikeLiked by 1 person
- 2
  
  hoakley on September 15, 2023 at 8:49 am
  
  Thank you.
  You should back up what you want backed up. If you want a backup of a Data volume, then back it up as one, once it is a proper Data volume.
  Howard.
  
  LikeLike
  - 3
    
    EcleX on September 15, 2023 at 8:55 am
    
    Thanks. Yes, but I meant, what is the best approach to “somehow” duplicate a booting disk into other disk? A) Backup source into destination and then install macOS in the destination, or B) install macOS in destination and then backup source into destination? I mean, which order is the best, A or B?
    
    LikeLiked by 1 person
    - 4
      
      hoakley on September 15, 2023 at 9:07 am
      
      You cannot clone just a System or Data volume, because of their firmlinks. You can only make a (near-perfect) copy of a Data volume, or clone both volumes together. The article above explains why cloning isn’t the best choice now.
      As your copy of the Data volume is only a copy, the correct way to use that is to install macOS, then to migrate from that copy of the Data volume into the newly installed system. That produces the boot volume group correctly, and once complete you can then make a backup of the new Data volume.
      Howard.
      
      LikeLike
    - 5
      
      EcleX on September 15, 2023 at 9:56 am
      
      Thanks. I guess that you mean migrate with “/System/Applications/Utilities/Migration Assistant.app”. Is that correct?
      
      LikeLiked by 1 person
    - 6
      
      hoakley on September 15, 2023 at 11:12 am
      
      I mean in the normal way after any new install. You have a choice of migrating during the initial personalisation and setup of the new system, or of running Migration Assistant at any time afterwards. Which you choose is up to you.
      Howard.
      
      LikeLike
7

eyelessjerry on September 15, 2023 at 8:07 am

If only Apple ever could make migration reliable … . But I agree it is the most practical solution now for moving to a new computer. Migration could also be made from a clone of the data volume and so cloning has value as a backup solution still.

LikeLiked by 1 person
- 8
  
  hoakley on September 15, 2023 at 8:51 am
  
  Migration is far more reliable now, and in many situations the preferred or only method to restore a Data volume. Trying to make an exact copy in a clone no longer has much purpose: for example with its Spotlight metadata, and version database, which can never be restored to another volume. Carbon Copy Cloner tech notes explain this and other problems in detail.
  Howard.
  
  LikeLike
  - 9
    
    eyelessjerry on September 15, 2023 at 9:01 am
    
    Yes, migration has become more reliable in the last few years in my experience too (and it would be kind of hopeless if it had not), just like Disk Utility has become better on repairing problems. It is good you point out that spotlight data will have to be rebuilt when migrating via a CCC clone which I did not remember. However, what I had in mind when complaining about the migration process is that I recently migrated a user from an Intel Mac running Monterey to a new MBP M2 Pro computer and spotlight would not work properly after the migration … with mail accounts and they had to be removed and added again as there was no way to get any mail account mail (as opposed to mail stored in local folders, that were indexed) to be indexed in any other way. So maybe it would just be as well that Spotlight data is not migrated … .
    
    LikeLiked by 1 person
    - 10
      
      hoakley on September 15, 2023 at 9:03 am
      
      Mail uses Core Spotlight, which has changed and has limited access – I suspect that may have been the problem. Sadly, Mail is still riddled with bugs too.
      Howard.
      
      LikeLiked by 2 people
11

Ralf on September 15, 2023 at 8:43 am

Does a cloned lightweight virtual machine (MacOS/Linux) work with another Mac as well?

LikeLiked by 1 person
- 12
  
  hoakley on September 15, 2023 at 8:53 am
  
  Yes, but you can’t keep it as a clone when you copy it to another volume. I have an external SSD with all my VMs, and that uses clones fine. But if you try copying one of those clones to another APFS volume, the whole VM has to be copied, of course.
  Howard.
  
  LikeLike
  - 13
    
    Ralf on September 15, 2023 at 9:07 am
    
    Sorry to ask again. What do you mean by “but you can’t keep it as a clone if you copy it to another volume”. Yes, it is clear that the whole VM must be copied.
    Such a VM would be especially interesting to be able to continue working directly on another Mac in case of emergency.
    
    LikeLiked by 1 person
    - 14
      
      hoakley on September 15, 2023 at 9:11 am
      
      If you clone a VM by duplicating it on the same volume, then the clone doesn’t take any additional space until you change it by running it, and then it only takes the additional space required for the changes. If that volume is external, then you can run both the original and the clone using another Mac (not at the same time, though, as they will have the same Machine ID, being clones).
      However, if to run it on another Mac, you copy that clone to another volume, then the process of copying produces a whole VM on the destination, of course.
      Howard.
      
      LikeLiked by 1 person
15

SarahB on September 15, 2023 at 10:56 am

I haven’t cloned my Mac or system volume in so long. Not since CCC said it was more difficult to do long ago. It’s why I rely more on Time Machine now. I always used TM but backups have always been an obsession for me.

I recently checked all my clones and realized I have 43 hard drives of different types used for cloning. I do the clones every weekend and it takes a while to go through them all. I have so many since some are groups of JBODs in pairs. Then I have two clones of everything, 5 clones of my personal stuff.

I know storage will always fail, just a matter of time. So I try my best to deal with that when it happens and not let it be such a tragedy. I spent so much more money on storage than my Mac computers even. This is because I always felt keeping my data safe is the number 1 priority. More than having the newest fancy Mac computer.

Still none of those first aid troubles I was having before. No errors at all. Glad things have been good now.

LikeLiked by 1 person
- 16
  
  hoakley on September 15, 2023 at 11:14 am
  
  43 hard disks? My goodness, that sounds like a full-time job.
  Howard.
  
  LikeLike
  - 17
    
    SarahB on September 15, 2023 at 12:35 pm
    
    5 Mac’s at home but only really back up stuff on mine but all files are kept off it. Time Machine on all of the mac’s also. Mom’s media as well but each of the three 12TB media drives have 4 other hard drives as clones, two JBOD pairs.
    
    Music is on external drive also and has 3 clones. Personal drive has 5 clones. Not so bad though, I use CCC and spend a hour or so on the weekend to go through them all. They are nicely organized in hard drive cases on a shelf. Gives me peace of mind.
    
    LikeLiked by 1 person
18

Markus Ruggiero on September 15, 2023 at 11:13 am

Interestingly all the cloning talks are related to file systems. What about cloning way below the file system like making block copies? The command line tool “dd” can do this. Wouldn’t it be possible to create a physical copy that can boot? At the end of the day any type of file system is just a way to interpret bits and bytes stored on a medium, be this a hard drive or possibly even a SSD.
Thinking this should also work for time machine backup drives.
Any comments?

LikeLiked by 1 person
- 19
  
  hoakley on September 15, 2023 at 11:18 am
  
  Yes, some have managed to use dd to do this. It’s not recommended, and has snags like the fact that you can’t resize the container until after the copy. There’s another more sinister problem that asr doesn’t suffer from: the UUID of the container and its volumes are identical to those of the source. APFS really doesn’t like that, so you can’t have the source and destination mounted at the same time, which rules it out for copying internal storage.
  Howard.
  
  I should perhaps add that there’s no known way, at least not to me, to change those UUIDs either.
  
  LikeLike
  - 20
    
    tempelmann@gmail.com on January 19, 2024 at 11:22 am
    
    I believe I had once found a way to update those UUIDs when I tried to clone entire partitions in macOS 10.15.
    
    I think there’s a SO post about it…
    
    Ahh, on my blog: http://blog.tempel.org/2019/05/cloning-apfs-volumes-containers-apfs.html
    No clue if that still works, though.
    
    LikeLiked by 1 person
    - 21
      
      hoakley on January 19, 2024 at 3:49 pm
      
      Thank you, Thomas. I thought that was done automatically by asr? Cloning remains a thoroughly bad idea, though.
      Howard.
      
      LikeLike
22

Simon on September 15, 2023 at 2:02 pm

I’m very much on board with using MA to go from one Mac to another. In my experience it works well and thanks to modern Macs’ fast internal flash and a TB4 cable it’s also really fast.

My concern is what I’d do if that Mac were no longer available. Say I got mugged or dropped it to the floor of the ocean. In such a case, obviously TM is great because, again in conjunction with MA, it will allow me to get set up on another Mac quickly. In my experience this also works well.

But, and this is where my question comes in, I like to rely on not just one method or disk. Now I have TM running to two separate disks in two separate locations. But it’s still all TM and so I feel comfortable knowing that I have as an ultimate safety net something that relies on an alternate method. For that, I like the idea of using simple and free SD to create a “clone”. Not because I use it as the type of clone we used to before SSV, but as a simple and fast way to create a copy of all my docs, apps, settings, and those other pesky little bits (I’m sure there’s others too, just SD “clones” is what I use). And, this is the great part, that “clone” can also be used to restore with MA should all other safety nets break. In that sense, I like that “cloning” is still around, admittedly though, now being used in a very different way. Any problems you see with that approach, Howard?

LikeLiked by 1 person
- 23
  
  hoakley on September 15, 2023 at 2:41 pm
  
  I think it’s important to make a clear distinction between a clone, and a copy or backup. A clone is as close as possible to a perfect copy in every respect, so could be substituted for the original without any significant change on the part of the user. Copies and backups contain almost everything we want (we can exclude some things like VMs, and temporary files).
  The idea behind clones is that you can clone them back in place of the original. A copy or backup would normally be copied back, either in a restore or by migration.
  If you had to rebuild your system on another Mac, then these days what you’d do would be to install macOS, and migrate from your copy or backup. You can’t clone a clone back any more, because of all that I have explained above.
  So what you need isn’t a clone at all, but an independent copy or backup, in addition to Time Machine. For that, I use Carbon Copy Cloner, which makes a copy of my Data volume and my main external working folder every night.
  I hope that’s clear.
  Howard.
  
  LikeLike
24

Michele Galvagno on November 14, 2023 at 9:49 pm

The problem with new installs, migrations, and clones, is not with macOS, but with those 3rd-party apps (especially creative ones) that plant a “MachineID” connected to that activation of the software.
While this has improved greatly in recent years, I still recall how having to format my Mac (or PC) required me to call support (in English only) to ask to unlock that specific “seat”. Now most softwares have a command in your account to “deauthorise all your seats”, but not all of them have caught up.

LikeLiked by 1 person
- 25
  
  hoakley on November 14, 2023 at 10:28 pm
  
  Thankfully, it is many years since I last had to grapple with that one, but I well understand the problems.
  Howard.
  
  LikeLike