How External Bootable Disks Work With Apple Silicon Macs

I suspect Howard and several devs at Apple and a couple Mac backup shops, are the only people on Earth who understand how to reliably keep disks bootable on new Macs.

Aside from all the other things about new Macs that I dislike, Apple's post-Steve philosophy for Target Mode and Bootable volumes is why I gave up on the Mac as my 'daily driver'.

Fantastic if other people feel the additional security is worth it for them. Personally, to work like this - with my setup tethered so tightly to a particular CPU - would feel precarious. I want the peace that comes with knowing I always have a backup I can revert to in case of hardware failure.

“This ensures the security and integrity of that process and prevents an attacker from starting that Mac up without credentials.”

Sure, but so does encasing the Mac in concrete—just depends how committed you are to security.

@Matthew Yeah, I don’t really understand what scenario it’s even protecting against. They already have ways to prevent access to the Mac’s data and to prevent rogue code from being added to an existing installation. Do I really care if someone has physical access to my Mac and they use it to set up a totally separate system booted from an external drive?

The disaster that is booting and permissions on an Apple Silicon mac is one of the main reasons I don't want one. I need one for work, however, and I've lost days of my life struggling to deal with getting it booting properly, especially on an external drive, or dealing with an administrator or root account still not having permissions to do certain essential things. There are so many things that can go wrong, and they all trigger weird inscrutable errors that there's no way to fix, unless you're one of the five people in the world who actually understand this, or someone on the internet just happened to post about the exact issue you're having and also just happened to come across the solution.

One of the things I loved about my earlier Intel (and PPC) macs is that I could just plug in an external drive and boot from it! It was so flexible and easy.

And who needs all this "security"? My threat model certainly doesn't require this. Hell, if my mac is stolen then my data is still protected six ways from Sunday. That was true with my Mac from ten years ago that didn't have secure enclave or T2 chip or any of this garbage -- all it needed was an encrypted drive. No one was going to break through that.

The only thing this is protecting me from is being confident I can boot or use my own computer the way I want, or make backups of this data the way I want. That is to say, it's an anti-feature. It'd be an anti-feature even if it *worked correctly*, which it often doesn't.

I've beaten this drum before and I'm going to do it again, but this is probably not a feature for me, but for Apple, because it lets *them* control how I use my own computer.

Ok, I never thought I’d say this, and please understand this is purely a joke and I mean nothing personal.

But I finally know what Steve Jobs meant when he said “have you ever considered that maybe you’re holding it wrong?”

Now I completely sympathize with people who have trouble and think that is regrettable. I guarantee Apple feels the same. And I understand your threat model does not need your system to be completely secure. I’m speaking to anyone who thinks this is a step backwards because they don’t particularly see the value for their own personal setup, and will try to provide some reasoning on why Apple can’t design around a “probably mostly secure for your average user use case” and still say “our systems are secure” without being wrong or lying.

First of all, I’d like to suggest that, if your time is valuable, you might consider altering your backup strategy that worked great 15 years ago but is not optimal or necessary today. I can set up an entirely new Mac in about 60 minutes from scratch from nothing and have basically all my tools and data (and I have a lot). Cloud storage, Homebrew + MAS with a brewfile, some odds and ends here and there to keep things synced. I keep my dotfiles in a repo that is symlinked into my iCloud Drive and it works great. I use 4 Apple Silicon computers regularly, 2 as dev machines, and have used one exclusively since launch (sold my Intel Mac shortly after AS was announced). I think I’ve run into a permission issue like you describe once, within 1-2 years of getting the Mac Mini at launch. Can’t be sure it’s related but it rings a bell.

It would take me far longer and be much clunkier to keep everything in sync with a dedicated external drive. Updating the OS, keeping multiple copies of applications installed and updated, licensing issues (do I waste one of my 3 seats on a backup drive and then the last one on my backups backup?), dealing with a stale backup or being forced to spend time regularly maintaining the backup. All of it pointless because technology has evolved.

If your time is so valuable that you can’t spend an hour setting up a computer (which I suspect you are spending anyway, per month, keeping a bootable backup fresh in the best case scenario) then get a backup computer. It’s ready to go and more reliable and it can keep itself up to date in the background. Adjusted for inflation, the cost is not much more than a capacity high speed bootable drive was 15 years ago when this was a good strategy. And as a bonus you get a whole other computer around your bootable backup!

I know that suggestion is going to put a bad taste into people’s mouths but here’s the thing, and I mean this with the most love and kindness. Technology changes. Apple would rather be at the forefront of those changes. That means sometimes learning new things, because the old way isn’t the best way any more. If you want to learn how computers work once and be done with it, that’s just not always possible. Apple will not and cannot ever work that way and continue being Apple. So the choices are deal with it, or use a PC. They will continue supporting MS-DOS software and have an A:\ drive well into the era of quantum teleportation.

Continued…

…continued

Real quick, I’m just gonna say this. I don’t personally love the security, because it has made things I want to do more difficult. But I have to admire it even if I don’t like that it’s there.

Now, security. Here is what Apple understands and I’ve come to understand by studying the Apple Silicon macs. Security is not a situation where you can easily pick and choose some parts to be secure and some parts you don’t care. I was going say you can’t, but there is a “less secure” mode. Of course, “insecure” mode is still more secure than almost any other computer, so it’s still relative. But Apple as a company has a goal to be authentic, as much as any company can be. If they say “this is most secure” they want to mean it. And when you build a system, which I have built some software systems, you absolutely know the weak points. Maybe they’re not obvious but anyone who fully understands a system knows what they are, in any system.

Your threat model does not include someone cracking FileVault 2. But it HAS been cracked. It’s labor and money intensive, but given enough computing power and full (I’m assuming destructive) physical access to the system, someone can get the data. There is a very expensive tool that uses distributed cloud computing that is available to certain law enforcement. Now, I’m not sure how secure boot protects against this or if it even does, but the point is that any system has weak points and any weak point can lead to compromise. So the only option is to continue removing them,

Your threat model is not the threat model Apple is designing around. They are designing around this idea: “is the system secure, period”. This much is pretty cut and dry. There is a second idea which is “can we do it in a way that enhances the user experience rather than diminishing it” which is much more debatable and I guarantee those debates have happened within Apple since security on computers became a thing.

(interesting side note: in 1984, Steve Jobs gave a talk in Aspen, Colorado at a design conference. He generally predicted about 40 years of computing history, including the iPad (a computer the size of a book with a radio in it, where people would walk around and get email wherever they were, speaking to a room where a handful of people at most even used a computer regularly), with one notable exception: when asked a question about privacy and security, he was noticeably caught off guard and brushed the concerns aside, implying he just couldn’t see it being a big deal almost condescendingly. How naively optimistic. That was 3 years before I was born).

So there is a “global” threat model for security, and that would be a very simple question: is the system secure? If yes, then good work Apple. If no, got some more work to do.

Now you might wonder, how does a bootable drive impact anything? Well, a bootable drive allows running arbitrary code on the system before it’s been activated with Apple. This is probably not that big a deal but it does allow the computer to be used without authorization by the owner. There was a SEP (Secure Enclave) exploit called Blackbird, latest model impacted was the iPhone 6 I believe. And everyone knows about the infamous checkm8 exploit that impacts all iOS devices up until 2018, as well as all T2 Macs (the T2 is a modified A11 processor). I haven’t seen any indication any key material has been extracted via Blackbird and is probably not super critical any more. But security is a one way street in that once you know the weakness and someone can write the code (or AI, nowadays) once, you can put it online and anyone can download it and start unlocking stuff. If your threat model is “is the system secure?” well clearly that would be a big NO! It happens and Apple is smart in that they learn and do it better next time.

And where do bootable drives come in? Well there is a tool based on checkm8 that I’ve only seen recently for T2 Macs that allows bypassing some security with bootable drives. You might recall that T2 Mac’s actually do not allow booting from external drives either, by default. You need to change a setting and this can only be done with an OS installed, and if you wipe the firmware (iBridge, a modified Apple Watch kernel that runs on the T2 and handles all communication with the Secure Enclave and a few other things, primarily the “bridge” between x86 and Arm that Apple used to transition to Apple Silicon). This exploit allows someone to flip the necessary bits to boot from a USB drive without authorization. From that point you can run arbitrary code with arbitrary permissions. In this case it’s a convenience thing so you can reinstall MacOS to the internal disk without downloading it (saves time). But it would also allow someone to install a modified MacOS that is compromised in any number of ways that are virtually undetectable. The system is no longer secure. Is this part of MY threat model or YOUR threat model, no. But their threat model is binary and the system fails.

And I guarantee you almost no one even understands that this system is even there, let alone how it works. Apple Silicon macs are the more secure than I could have imagined 2 years ago. There is not a single public record of anyone ever running any user provided code whatsoever before activation in the 5 years since they’ve been released. And I have researched extensively. There has been a lot of research, and there is a lot of profit to be made (which means motivation). And I somewhat suspect there is someone out there who’s done it, but it’s not being made public.

And although there are some significant downsides and I personally don’t agree with a design that essentially bricks a computer if someone loses an iCloud password, I have to admire it. Apple should be proud. If someone asks “is this system secure?” as of today, mid-May 2025, the answer is still YES.

@Brandroid Thanks for your comments. “Apple will not and cannot ever work that way and continue being Apple.” I thought Apple was supposed to be about the user. Maybe I missed it, but I'm not seeing where you described any concrete benefit for the average user. You mentioned some theoretical benefits for a user targeted by a nation state (or other highly sophisticated adversary) who has physical access to the hardware. What are we getting in return for confusion/slowness/unreliability? Bragging rights at a security conference? Surely, they could make Macs even more secure by removing all the ports and the networking hardware. But, obviously, there has to be a balance because there’s no point in having a Mac that’s secure but not useful. Why should I, or anyone really, care about obscure boot attacks when we see a continuous stream of attacks that don’t even need physical access? It seems like locking the door when the window’s open.

Regarding some of your specific points:

- If you are able to restore in an hour, I think you must be using a smaller SSD or not filling it up.

- If you leave an external drive connected and set it to back up automatically, it doesn’t really take any time.

- Even if it did, all time is not equal. It could be worth it to spend a few minutes on a regular basis in order to save a few hours at a critical period.

- Backups are not the only use for bootable external drives. I primarily use them for testing different macOS versions and system configurations.

- I do think a backup computer is a good idea.

- I disagree about this being equivalent in price to a bootable drive and think it’s more of a pain to keep in sync.