Wednesday, December 2, 2020

Is Big Sur’s System Volume Sealed?

Howard Oakley:

So the System volume at disk3s1 (your numbers may differ) has a broken seal?

To understand why that’s perhaps the wrong question, we need to step through how Big Sur creates the SSV in the first place. During system installation, the whole system is created on the System volume. Once complete, and protected by SIP, the installer then creates the Merkle tree of hashes up to the Seal, the one hash to rule them all, and makes a snapshot. The tree of hashes and its Seal are then stored in the file system metadata which make up that snapshot. The sealed snapshot is then mounted and the System volume itself is unmounted.

So it’s not the System volume which is sealed now, but that snapshot.


That crucial piece of information appears to have been omitted from other locations in Big Sur when it’s running on an Intel Mac.


Comments RSS · Twitter

Leave a Comment