What makes a disk bootable?

Once upon a time, I’m sure all you needed to make a disk bootable was a System file and the ‘blessing’ of that disk. Then Apple decided we had to have System Folders, and OS X made it even more complicated. This article outlines what a disk now needs for it to be bootable using a modern Mac.

Intel basics

Making a disk bootable is something we normally leave a macOS installer to fix for us. If you still use a utility like Carbon Copy Cloner or SuperDuper! to clone an existing bootable volume group to a disk, a procedure no longer recommended for Apple silicon Macs, that too should spare you the hassle. But when either goes wrong and you discover that Startup Disk won’t let your Mac start up from that volume group, it’s important to discover what might have gone wrong.

To understand this, consider how an Intel Mac boots from macOS Mojave or earlier, and where that can fail. That’s summarised for older Intel Macs and those with T2 chips in the following diagram.

BootDiskProblems

One fundamental requirement is that the hardware, the Mac’s interface, any cable and drive enclosure, all must support booting that Mac. Some older enclosures offer connections that can’t be used for booting, in which case you’re onto a loser from the start. For T2 Macs to boot from an external disk, that must have been enabled using Startup Security Utility in Recovery mode.

Normally, on a non-T2 Mac booting from an HFS+ disk, it needs a boot loader at /System/Library/CoreServices/boot.efi. A helper partition is normally used when a disk is encrypted using HFS+ FileVault 2, or the storage device requires additional drivers, such as an external RAID array. On a non-T2 Mac booting from an APFS disk, the boot loader should be in the path [UUID]/System/Library/CoreServices/boot.efi on the special Preboot volume /dev/disk1s2.

Bootable disk (Intel)

Starting partially in Catalina, and in full from Big Sur onwards, the required container and volume structure on a bootable disk for an Intel Mac is essentially the same whether it’s internal or external. There’s the traditional hidden EFI partition, and a single APFS container with the boot volume group, consisting of:

the SSV, a mounted snapshot of the unmounted read-only System volume named Macintosh HD, forming the root of the boot file system. The snapshot is named com.apple.os.update- followed by its UUID;
the writable Data volume, by default on the internal disk named Macintosh HD – Data, normally hidden from view at its mount point in /System/Volumes and accessed via firmlinks. On Intel Macs, this is given its full name;
Recovery, the paired Recovery Volume;
Preboot, containing cryptexes and other private files;
VM, containing virtual memory caches.

Note that the Seal on the unmounted read-only System volume is normally broken, but it’s the snapshot that’s important: that should be sealed, unless you have broken its seal intentionally.

bootdiskstructureintelvent

Intel Macs still boot into the paired Recovery volume within their boot volume group by holding the Command and R keys during startup. If that fails, the only alternative source of recovery tools is Remote or Internet Recovery, entered with the Command, Option and R keys held.

Bootable disk (Apple silicon)

The internal SSD in an Apple silicon Mac consists of three APFS containers, and lacks the legacy EFI partition. Only the Apple_APFS container is normally mounted, and that has a similar structure to the boot container of an Intel Mac. There are two significant differences, though:

the Data volume isn’t named Macintosh HD – Data, as on an Intel Mac, but plain Data;
the paired Recovery volume is the primary Recovery system for that copy of macOS, and is supported by the fallback Recovery system in the unmounted Apple_APFS_Recovery container.

Apple silicon Macs are distinct in having this fallback Recovery system, making them more robust in the event of damage occurring to the boot container on their internal SSD. Note that in Big Sur the paired Recovery volume isn’t used; instead, the Recovery partition on the internal SSD is the main Recovery system for all bootable systems on that Mac. That was changed to paired Recovery with macOS Monterey and later.

bootdiskstructureMm1vent

Unlike Intel Macs, M-series Macs always start their boot process from their internal SSD, even when they’re going to complete it from an external bootable disk. This is to ensure that their boot process is secure throughout, using a verified chain of trust through each step in the process.

This starts with the Boot ROM to validate the Low Level Bootloader (LLB), stage 1 of the boot process. The LLB in turn validates other firmware to be used in Stage 2, the LocalPolicy to be applied to the startup disk, and iBoot (Stage 2) itself, in accordance with the requirements of the applicable LocalPolicy. When starting up from a boot volume on an external disk, control is then transferred to that bootable system, which is stored in a single APFS container with the same layout as that for an Intel Mac.

LocalPolicy

The user controls LocalPolicy through Startup Security Utility, which is only accessible in Recovery Mode, and requires user authentication. There is no LocalPolicy that applies to all users and all disks, though: each LocalPolicy is specific to a System Volume Group and authorised user. For example, these can allow:

a single bootable external disk to be used to start up two or more Macs;
one Mac to be started up from any of several System Volume Groups, which can be running older versions of macOS, or load third-party kernel extensions.

Default LocalPolicy created for each bootable external disk provides Full Security, which among other things blocks the loading of third-party kernel extensions and requires SIP to be fully enabled. iBoot (Stage 2) validates kernel collections, signed System volumes, and other components to ensure their integrity, and that the kernel, extensions and macOS to be loaded have an acceptable version number.

LocalPolicy is created when installing macOS to an external disk, when the boot volume group on that disk is assigned its Owner. It can also be created when selecting the boot volume group on a bootable external disk to be the startup disk, in the Startup Disk pane (or in Settings), if it doesn’t already have a valid LocalPolicy, for example when you want to boot from an external disk previously created using another Mac.

LocalPolicy can be changed, in particular changing Secure Boot settings using Startup Security Utility, by first booting from that boot volume group, shutting down, and starting up in Recovery mode. That sequence is essential to ensure that the Mac boots into the Recovery volume paired with the System volume whose security settings are to be changed (Monterey and later).

The current startup disk setting is stored in NVRAM, which on Apple silicon Macs can’t readily be reset by the user. In the event that disk can’t be used to boot that Mac, it will normally fall back to starting up from the internal SSD. This is a more convoluted process in the event that the expected startup disk can’t be found at all: in that case, there will be a long delay in startup, during which the power light will remain on but the display will be black. Eventually, when all hope of finding the missing boot disk is abandoned, the Mac should boot from the hidden Recovery container on the internal SSD, normally used as Fallback Recovery, enabling the user to choose another startup disk and restart from that.

Summary

There’s a great deal more required for an external disk to be bootable than just having a valid macOS installed.

Intel Macs without T2 chips are simplest, but even they now require a complete boot volume group and EFI container/partition. T2 models also require their boot security changed using Startup Security Utility for them to boot from external disks.

Apple silicon Macs are the most complex, in requiring LocalPolicy with an Owner. If that isn’t configured correctly, they won’t be able to boot from that external disk. However, they don’t require to have their Secure Boot settings changed: unlike T2 models, by default they can boot from external disks in Full Security.

13Comments

Add yours

1

Maurizio on March 16, 2024 at 8:17 am

fun fact ,MacOS create the EFI partition (200 MB) even in disks dedicated to Time Machine, the EFIpartition is created by default using GUID partition table. I know someone might want to make them bootable but that’s a rare occurrence. I have to try if apfs container could work on mbr disk.. not sure about it

LikeLiked by 1 person
- 2
  
  hoakley on March 16, 2024 at 10:28 am
  
  Well, no more. EFI partitions are still created on all disks used by Intel Macs, but Apple silicon Macs only create them on external disks. There’s no EFI partition on the internal SSD of an Apple silicon Mac, because it will never be mounted on any Mac with EFI firmware. So the EFI partition is no longer a requirement for Mac storage to be bootable, as of Big Sur.
  No one outside Apple seems to know what the EFI partition is actually doing on all those disks either.
  I wish you luck with your MBR experiment, because I think it’s doomed to failure, as APFS is completely reliant on UUIDs, including in the partition table, and I don’t think MBR supports them does it?
  Howard.
  
  LikeLike
3

Whidbey Thedog on March 16, 2024 at 11:58 am

Old habits die hard, so I still do a daily CCC clone of mw new Mac Studio startup drive. Can anyone tell me why Apple no longer recommends this? Does it damage the SSD or something akin to that?

LikeLiked by 1 person
- 4
  
  hoakley on March 16, 2024 at 1:55 pm
  
  Well, I’m not sure why you’re doing that, or what you think you could do with your ‘clone’.
  If you think you could ‘clone’ it back to your Mac’s internal SSD, then I’m afraid that you’re going to be disappointed, as you can’t, or at least it won’t boot then. If you think you could boot from a ‘clone’ if you have problems with your Mac’s internal SSD, then I’m afraid that you’ll almost certainly be disappointed if you were to try that.
  So perhaps if you explain why you’re doing this, I can explain why it’s not a good idea, and a waste of time and effort.
  Howard.
  
  LikeLiked by 1 person
5

Steven Taylor on March 16, 2024 at 3:16 pm

I purchased SuperDuper! and loved it on Intel; I bought it again for Apple Silicon, but I don’t use it anymore:

When I downgraded to Big Sur as an experiment to see if my idle memory requirements lowered from Sonoma (base model M1 MBP), I was presented with Activation Lock. I knew then that Apple Silicon was designed more like a phone than a computer (as we have known in the past).

You don’t experiment with the OS on an iPhone. Any experiments shouldn’t be tried if Apple hasn’t blessed it; Apple Silicon ought to be simply used as presented. My tweaking days are over.

oh, and Big Sur uses about the same memory at rest as Sonoma does.

LikeLiked by 1 person
- 6
  
  hoakley on March 16, 2024 at 3:45 pm
  
  Thank you, but I’m afraid you’re wrong about Apple silicon being “designed more like a phone than a phone than a computer”. If you can perform “experiments” with macOS, then so can malicious software. The days of free access to the internals of macOS went with Big Sur, whether on Intel or Apple silicon.
  If you want to “experiment” with macOS, then use a virtual machine: it’s far less likely to cause problems. You can disable SIP and Gatekeeper, downgrade its Boot Security, and run malicious software if you want, all in complete safety. I do that not infrequently, as do security researchers.
  Oh – and if you really want to, you can run a custom kernel on Apple silicon too.
  Howard.
  
  LikeLike
  - 7
    
    Steven Taylor on March 16, 2024 at 3:54 pm
    
    what I meant by ‘experiments’ was simply “try different operating system versions”; not nearly as complex as you are describing. And ‘designed more like a phone’ was being able to use an ipsw file to restore in DFU mode, which mode Intel doesn’t have, for instance. And Activation Lock being a thing, now.
    
    I always need to use more words to explain. My fault. You are a wonderful resource.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on March 16, 2024 at 4:18 pm
      
      Thank you.
      IPSW image files more reflect the difference in architecture than the purpose or features of the computer. All Intel Macs use (U)EFI firmware, because that’s the standard for Intel and x86. Before that, when Macs used PowerPCs, they used a different firmware architecture altogether, Open Firmware, which was designed for PowerPC processors.
      Activation Lock is common to both Intel T2 and Apple silicon Macs, but can’t be used by older Intel Macs without a T2 chip. So again it’s more of an architectural (Arm) feature.
      Moving away from UEFI is one of the best things Apple could have done. Using IPSW images, you can now downgrade not just macOS but the firmware of Apple silicon Macs, something that’s never been possible with UEFI, and I’m not sure was possible with PowerPC either. UEFI has had a long run of security issues too, although for the more careful implementor those shouldn’t generally proved serious problems. And there’s nothing really to match Apple silicon Secure Boot – it’s much more secure and robust than anything Apple could have done with UEFI.
      Howard.
      
      LikeLike
9

Simon on March 16, 2024 at 3:58 pm

Thank you for this nice summary, Howard.

Just one simple question about recovery: in your M1 diagram example, if disk3s3 is the usual recovery and disk2s1 the fallback, what purpose does disk1s4 serve? Is there any known use? Is that the image used to create the primary on a fresh setup?

LikeLiked by 1 person
- 10
  
  hoakley on March 16, 2024 at 4:23 pm
  
  Thank you.
  No one outside Apple knows. I don’t think that volume is actually used at present, but it’s there and earmarked for future use if required.
  The macOS installer contains the protected disk image used for Recovery, and installs it during its installation process. That should ensure that the Recovery system paired with any given boot volume group is that intended for that version of macOS, which can be important if you use Recovery for functions such as First Aid in Disk Utility, for example.
  Howard.
  
  LikeLike
  - 11
    
    Simon on March 18, 2024 at 1:18 pm
    
    Thank you, Howard.
    
    LikeLiked by 1 person
12

chrish1961 on March 17, 2024 at 7:01 am

So the System volume on an Apple Silicon machine is still names “Macintosh HD” but the data volume is now just “Data”?

I didn’t know that. I’ve been changing the names of those two volumes to variations of a custom name (e.g., “Yada Yada” and “Yada Yada – Data”) thinking that non-standard names might thwart a bad actor from programmatically hacking my machine.

Do you think that makes sense?

LikeLiked by 1 person
- 13
  
  hoakley on March 17, 2024 at 9:12 am
  
  I’m sorry, no.
  You should be able to change the name of your Data volume if you really want to, but sometimes that can cause problems. The simplest answer is to leave them as they are. That does nothing to alter the security of your Mac.
  Howard.
  
  LikeLike

Intel basics

Bootable disk (Intel)

Bootable disk (Apple silicon)

LocalPolicy

Share this:

Related