Thursday, January 14, 2021

macOS 11.2 Beta 2 Adds Full Custom Kernel Support

Hector Martin:

So I’m working in understanding the Apple Silicon boot/OS provisioning process. This is all subject to change, but here are some takeaways according to my current understanding.


This means that in order to set up an Apple Silicon device to boot arbitrary code, you first need to set it up to boot macOS, or at least install a working recovery mode.


In addition, Apple has a mechanism they use to only allow recent versions of their software to be installed on devices, by requiring a “phone home” process when you install it.


So the takeaway here is: Apple have built a very clever secureboot process previously unseen in any kind of desktop computer. They make us go through hoops to boot Linux, but those hoops are there to protect normal users.

Hector Martin (Hacker News):

macOS Big Sur 11.2 beta 2 is out with full custom kernel support.


The OS now finally includes the firmware and bootloaders and tools necessary to replace Big Sur with not-Big-Sur. That was previously not possible.

Howard Oakley:

When you boot an M1 Mac into its new Recovery Mode, it isn’t using the Recovery volume from the standard boot container at all, but what Apple calls 1 True Recovery (1TR) from the Apple_APFS_Recovery container, something which doesn’t exist on an external bootable disk. Many of its features, notably its Startup Security Utility which you can use to change the security policy, are only available in 1TR. As that can’t exist on an external bootable disk, and its command line equivalent bputil is largely limited to 1TR, it’s the internal storage which really controls that Mac, even when it’s booted from an external disk.


This ingenious new boot process does have consequences, though. Failure of internal storage means failure of the whole Mac, which can’t then boot from an external disk, which lacks the essential iSC and can’t provide 1TR either. I think this is already true for Macs with T2 chips, with their single security policy, rather than one for each bootable operating system as in the M1. I suspect it’s also, in part at least, responsible for the lack of an Internet Recovery Mode in M1 Macs.


Comments RSS · Twitter

Leave a Comment