An M1 Mac Can’t Boot from an External Drive If Its Internal Drive Is Dead
Bombich Software recently updated Carbon Copy Cloner to version 6, and its founder, Mike Bombich, posted a blog entry explaining some of the intricacies involved with updating cloning software for Big Sur and M1-based Macs. One heading may have surprised those who haven’t read all the technical details about M1 changes: “An Apple Silicon Mac won’t boot if the internal storage has failed.”
That might seem bizarre. A core aspect of dealing with system failures on Macs is that you could maintain an external bootable drive, perhaps a bootable duplicate of your startup volume, that lets you use your Mac even if an internal drive was corrupted or failed entirely.
In “The Role of Bootable Duplicates in a Modern Backup Strategy” (23 February 2021), Adam Engst presciently explained why bootable clones might be a thing of the past. Now Mike Bombich has confirmed with Apple that external bootable drives won’t always work!
It’s true, but it’s not as terrible as it sounds. Let me first explain why you should be aware of it but not worry, and then explain the more technical details for those interested in the innards of macOS.
You’re Unlikely To Have a Dead Internal SSD and a Live Mac
The fresh information here is that an M1-based Mac relies on its internal SSD to allow external drives to boot. If the internal SSD has failed or been entirely erased—it contains several hidden volumes—you can no longer boot from an otherwise valid volume on an external drive. Why would Apple do this? To increase security. And, maybe, to reduce its tech support costs.
Relying on details stored only on the internal SSD to control startup from external drives is a way to make it harder for nefarious parties to hijack a Mac’s data. This approach is a shift from Intel-based Macs, which relied instead on firmware (software stored in programmable memory chips that can be updated). However, firmware updates can sometimes fail, causing temporary problems with a Mac or even “bricking” it. There may also be attack vectors related to firmware-based startup control that Apple hasn’t disclosed.
On an Intel-based Mac, you can set a firmware password that prevents booting from anything but a “designated startup disk.” Apple didn’t include that feature with M1-based Macs because the company changed the startup and recovery processes to require knowing a password associated with the selected startup volume. An Apple support document notes: “a Mac with Apple silicon also won’t require (or support) a firmware password—all critical changes are already gated by user authorization.” If you don’t have a valid account and password, you can’t change the startup volume or perform most other recovery features.
We don’t know to what degree problems with firmware updates or undocumented attack vectors contributed to Apple’s switch. Perhaps it was just a simple architecture change, given the reliability of SSDs and the ease of updating them to shift aspects of security from programmable memory chips to SSD storage? You might intuit that Apple could have had high ongoing costs of technical support related to firmware update failures and knew of exploits that compromise data on a Mac’s internal drive by starting up from an external drive. Maybe the cost of diagnosis and repair for Macs disabled or bricked due to firmware failures was high enough to be a consideration, too. But we don’t know.
However, here are the reasons we’re not too concerned about this change:
- A large majority of people don’t possess a bootable external drive compatible with M1-based Macs and would never create a bootable backup. (We cognoscenti may love booting from external drives, but it’s not a mainstream thing to do.)
- Modern SSDs are extremely reliable. The vast majority of people with Apple silicon Macs will never experience a failure of their internal SSD. Thus, they will never encounter a situation where they can’t boot from an external drive due to an internal drive failure. Look no further than iPhones and iPads for evidence of this fact.
- Should the internal boot volume become corrupted, or the firmware in the Secure Enclave develop issues, Apple provides a range of recovery options, including recoveryOS with macOS Recovery (a separate bootable partition), fallback recoveryOS (another partition), and revive/restore via Apple Configurator via another Mac, as I explain in the next section.
Put another way, the only time you would encounter this problem is if you had set up a bootable external drive and your M1 Mac’s internal drive became so damaged (at a hardware level, likely) that you would need an entire motherboard replacement.
What’s going on at a relatively low level of macOS that makes this possible—even necessary? The nitty-gritty follows.
Apple Silicon Puts Security Policies on the SSD
I learned about this limitation while researching my book Take Control of Your M-Series Mac, during which I dug into the Apple Platform Security guide, which was published in February 2021 (and updated this month). Plus, I had read Howard Oakley’s article “M1 Macs radically change boot and recovery,” which interpreted some of the obscure aspects of new boot policy for M1-based Macs. Howard and I apparently alerted Mike Bombich to this in a Twitter thread—it’s such a new idea, even he took some convincing!
As Howard notes in his article, Apple introduced the notion of the 1 True Recovery (1TR) partition with M1-based Macs. This additional partition, separate from a Big Sur startup volume group, holds the code and data that controls boot-time behavior. On Intel-based Macs, firmware serves this role.
One way 1TR differs from the firmware on Intel-based Macs is that the 1TR partition stores your decisions about startup security policies, the directives you set in the Startup Security Utility available in recoveryOS. You can set a separate policy for each external volume you allow to boot your Mac, but that policy is stored only on the internal drive in the 1TR partition. This technique prevents manipulation and trickery if you opt to vary from the highest level of security available, which is the default mode.
This reliance on 1TR is also why setting up an external bootable volume on an M1-based Mac sends you through a two-step process the first time you boot from it. After you select a volume on the external drive in the Startup Disk preference pane or through the recoveryOS startup process, your Mac restarts and makes you authenticate again. From then on, you can restart directly from that external volume. Because it only happens the first time, people often think it’s an error rather than an intentional process. Here’s what’s happening.
The first step in recoveryOS invokes user authentication to validate the new security policy that will allow that volume to start up the Mac, which it then writes to the 1TR partition. But because the policy hasn’t yet been read from the 1TR partition (which is necessary to know that it’s valid), a second restart happens so that 1TR can read that policy during the boot process and validate that the external volume can be used as the system startup volume.
You can encounter trouble if you erase the internal SSD. If you erase all the partitions, including 1TR, you won’t be able to boot from an external drive. However, if you haven’t erased all the partitions, you can reinstall macOS in one of two ways:
- Use recoveryOS: Shut down your Mac. Then press the power button for 10 seconds and release it only after the startup options window appears. Click Options, authenticate, and reinstall macOS. If that fails…
- Use fallback recoveryOS: Apple added a second recovery partition to macOS for M1-based Macs in case something happens to the main recoveryOS partition. Fallback recoveryOS should start up automatically when the main recoveryOS fails. But you can also trigger it manually: Shut down your Mac. Instead of pressing and holding the power button, press the power button twice in succession, holding it down the second time for 10 seconds until the startup options window appears. With fallback recoveryOS, volume policies aren’t loaded. However, it does let you reinstall macOS, and it silently repairs the main recoveryOS. After reinstalling macOS, you can restart and get back to normal. (In fact, if the main recoveryOS has failed, Apple promotes the fallback recoveryOS to become the main recoveryOS and installs a new fallback recoveryOS in its place. If your head is spinning, join the club.)
If recoveryOS can’t be used, you have to use the revive or restore firmware processes, which require the free Apple Configurator app, a particular cable depending on which M1-based Mac you have, and a second Mac. Apple describes the process in extreme depth. The firmware involved here is the Secure Enclave Process’s operating system (sepOS), which manages what Apple calls the Secure Boot process, involving elements described above. (You’ve probably never heard of sepOS before, but it’s a thing.)
If the revive or restore process fails, that’s likely an indication of a significant hardware failure. Your Mac will need to be serviced, and Apple might replace either the motherboard or the entire computer.
This beginning of this article reads as if Bombich discovered this. In fact, he might have just publicized it more prominently than others. Various other sites (including this board actually) were discussing this fact long before CCC 6 was released or Bombich penned that blog entry. This article gets into that and credits Howard Oakley, but only far down.
I would just once again try to take the opportunity to plug Howard Oakley’s blog because he has put tremendous effort into testing and documenting exactly how M1 Macs boot, how they behave with external disks, and what cloning workflows can be successful. He discussed things like iBoot, 1TR, and Configurator essentially from the moment M1 shipped and he has been updating information ever since. Let’s give credit where it’s due.
This was a joint effort. Glenn and Howard both speculated about technical aspects of this situation enough to help Mike get Apple to confirm what they suspected. We’re all more knowledgeable thanks to contributions from all three of them.
I wonder if the comparison to iPhones and iPads regarding SSD reliability is straight up since most (home users at least) probably replace their phones and tablets more often than their Macs (definitely true for me). A Mac is more often a bigger investment too. I assume there may be no “right to repair” (yourself) should your controlling SSD fail someday.
On the one hand, I’ve never seen a mobile device’s SSD fail for any reason other than physical damage. I’ve never read of anybody’s phone or iPad hitting the flash’s write limits.
On the other hand, mobile devices don’t (as far as I know) perform swapping. When RAM fills up, the OS starts killing processes. Which it can do because there is only one (or two in recent versions of iPadOS) foreground app and everything else is supposed to be designed to gracefully handle being killed when in the background.
On a Mac, however, there is a swap file. If you exceed your system’s RAM, the swapping is going to pound those flash chips pretty hard. This will definitely shorten the life of the SSD if it happens on a regular basis, but we don’t know by how much. If it means the computer dies in 9 years instead of 10, that will probably be fine for most people. If it dies in 3 instead of 10, that will make headline news.
Finally, when an M1 Mac’s SSD hits its write limit, we don’t know what the practical impact will be. Commercial SSDs are supposed to become read-only when this happens, but we’ve all read stories about devices that failed altogether at that point. If Apple’s fails, the computer will be bricked (unless some independent repair shop can replace the two flash chips and then run Configurator to re-install the iBoot and 1TR partitions). If it becomes read-only, then it might be possible to keep on operating using an external boot device.
Unfortunately, we probably won’t know the answers to these questions until we start seeing these SSDs reach their end-of-life. Hopefully not for many years, but we just don’t know at this time.
I am a little confused by several points. The first is speculation that firmware update failures create a big cost in tech support, which is then disclaimed with a “we don’t know”. It makes it sound like a WAG ( hey I’m old that used to be a saying). I have never read about or heard of failures in the firmware update process so I’d expect it is extremely rare. A security vulnerability is more likely the reason, as is pointed out. I would love to hear some statistics on firmware update failures. Anyone?
The second is about “completely wiping disk”. Is this even possible except through a process involving an external boot disk to begin with? That seems like a big design flaw to allow disk utility (or related processes) to eat the operating system that spawned it. If this is in fact a thing, that would make a good article
There have been many cases in the past where upgrades to the firmware resulted in a bricked computer. It doesn’t happen often, but when it does, recovery can be extremely difficult and may require servicing by someone with special tools.
As for completely wiping the disk, yes, you need to have booted from something else. On an Intel Mac, this is no big deal, because internal storage is functionally no different from external storage. On an M1 Mac, however, the internal SSD has two APFS containers that external boot volumes do not have, so a complete wipe (not just removing the system container) would result in a bricked computer until you restore those containers using Configurator.
Whether Disk Utility will let you perform this kind of erasure is an interesting question I haven’t yet seen answered.
many cases: 100? 500? 1% of installed base? I’m thinking some cases is more apt. I’m sure it happens, hardware faults, etc, but as you go on to explain “it doesn’t happen very often”. I am not trying to nit, I am seriously curious at how big a problem this is. Obviously that is the same technology used in windows, so maybe there are some statistics somewhere.
If you want a peer-reviewed scientific study, I don’t have one. Like all of us, I’ve read the news reports and blog articles.
Clearly it isn’t a big problem or we’d be reading about hundreds of bricked computers every week. But it is nevertheless important to recognize that it does sometimes happen and there therefore needs to be a way to recover that doesn’t involve Apple replacing the motherboard. Which there is - using another Mac and Configurator to re-create these special APFS containers.
Thanks, that is clear. and no I was not looking for a peer-reviewed study. Again I didn’t mean to sound nit-picky but “many” makes it sound like it is a pervasive problem. Your wording above is very clear, thanks again
Yeah, @Shamino has said almost exactly what @glennf or I would have. There are plenty of reports of firmware-related problems (which are probably more expensive than others), but as with nearly any hardware problem, it’s almost impossible to quantify it. Apple does do that and uses that data to prioritize fixes and even set up free repair programs.
I may have written this not as crisply as needed! The speculation is not whether firmware updates brick Macs. There’s a long history of this—the exact number, only Apple knows. In 2019, some people had bricked Macs due to a Catalina update related to the EFI firmware for their drive, in fact! Apple doesn’t release statistics on this, and we don’t know their tech support costs. It can cost Apple $25 to just pick up the phone and help someone for 10 minutes. It’s hundreds to several hundred dollars to service a computer.
So the “we don’t know” part is that I cannot tell you if failed firmware updates or handholding with firmware results in a million or $100 million in costs per year. It isn’t free, though, and it might be a significant contribution to the change? Or it might be entirely driven by security and architecture concerns.
I didn’t think it was possible, because Disk Utility is supposed to prevent you from erasing those 1TR partitions on your internal drive. However, it can be done, apparently—see that thread in which Mike, Howard, and I are talking about the boot issue. In that case, you can use the revive/restore operation to get back to business.
Given the number of Macs, it could be hundreds each week, since there’s no central reporting repository, and most people lack a soap box to stand on. It’s bigger than zero, and not so common that it’s constantly talked about, but it’s ultimately known only to Apple.
Howard’s amazing and we have had a very productive correspondence. In my book, I link to him extensively; he’s been a great help with questions; and I recently was able to give him a little detail that he added to one of his posts, which made me happy to contribute back. He’s invaluable. I don’t think there’s anybody else digging in so deeply to the disk partitioning and structure stuff out there—certainly nobody who writes for ordinary mortals.
Coincidentally, Howard just posted this excellent brief summary about why Big Sur isn’t useful to clone for an M1!
Fascinating article, having dealt with wiping and formatting an internal SSD albeit on intel last week.
I relied on the Recovery partition to install, but I did boot off the external SSD clone to both test it and restore the Data partition using Chronosync. I had wondered whether an external fast large SSD would be an option in the future as my main startup disk, not something Apple wants to encourage I see.
I hadn’t considered other partitions, where Recovery resides etc.
I just read Howard’s excellent summary thanks to Glenn’s link. (I’ve read several of Howard’s blogs on other subjects so I am very thankful for him. I am very familiar with Mike Bombich’s work although I haven’t read from him in a long time.)
The Mac system keeps getting more complicated and I do think that percolates down to the everyday user. No doubt security is critical but is there no way that Apple couldn’t make provisions for booting from external drives when the internal SSD has failed? Does this necessarily undermine everything or is that how Apple wants it to be anyway? Of course booting into macOS externally without the internal SSD in control would in part be a different operating system. Assuming most basic changes are not that tough to pull off (actually, it’s already in place for Intel Macs) does security become impossible? If it were possible, I suspect the future would be that very many more users would take advantage of external booting in normal usage. Then Apple would lose much control which is perhaps what’s most important to it. (With perhaps the benefit that the first generation, at least, of silicon Macs could have reduced expiry dates.)
When OS X first came along (or rather was decided on), I was overjoyed because I was a daily Unix user. But I felt the implementation was lacking because less sophisticated users were too easily confused by the interface. I don’t know exactly what I would have done except that I would have done many things differently. I wouldn’t have tried to hide Unix any more than Apple did, but I’d have worked hard at making it easier. A big problem with Unix is the heavy reliance on file system links. As the OS grows, the complication of linking grows. Links are a bit like “goto’s” - often considered evil in programming. But they have their place and are often invaluable. I see the new Mac system container volume disk security structure is especially complicated due to complex links. Could there have been a better way?
Another bugaboo of Unix and Mac OS is file and directory permissions. Disk Utility must have reported millions of permission problems to me over the years and they persist through Catalina (I don’t remember if my external Big Sur disk reports them). I think Apple could have done a far better job at reducing permission problems or providing reliable methods to ease them.
These are issues that affect everyday users so improvements in security is just one of many goals. Also, I wonder if the percentage of more sophisticated users is growing as the number of desktop OS users has dwindled - OR, if the sophisticated users are dying off and younger users are less interested in understanding as much as possible.
Apple implemented this “won’t boot (anything) if the internal drive is dead” ostensibly in the service of security. Sure, security is important, but how much for whom? Some arguably need more of it than others, but for many it comes down to their comfort level. Some people feel they need well-stocked bomb shelters or safe rooms in their homes, some (I, for one, and probably many more) don’t feel that insecure. Apple ought to allow users to decide, which involves weighing the risk/benefit/functionality/cost trade-offs. They did this with FireVault, and, though I’m no tech expert, I imagine they could do it with this issue as well, if they wanted; it’d be much more user-friendly. I wonder what Apple gains by becoming so user-unfriendly? They must profit somehow, but I can’t imagine how.
It 100% is. An external bootable drive is completely feasible. I’m using it with a 2017 Intel iMac and Big Sur. (See An External SSD Gave My iMac a New Lease on Life, 9 April 2021.)
But that’s my main drive. It’s what I always start up with, and when I get Big Sur updates, I apply them in a Big Sur session booted from that drive against that drive. Since this is an Intel iMac, I could keep running even if my Fusion drive died, which is feasible, since it’s got spinning media as part of it.
On an M-series Mac, an unused internal SSD, except for external boot policy, should experience nearly no wear and should run forever.
I’d refer you back to my article, which is that my suspicion is that external bootable drives must be such a tiny fraction of use cases coupled with the extreme longevity and reliability of modern SSDs, that the intersection of a failed internal SSD on an M1 Mac (that’s out of warranty, too) and someone who has an external drive they could boot from or are using seems very very very low.
See my previous comment, but it’s not “user unfriendly” as such. There are distinct advantages that they must believe outweigh the drawbacks. There are very few people who would both have an external bootable drive and have an internal SSD failure—and have a desktop machine, too, I think, since if you had a laptop, you’d be carting around an external drive if it the internal had failed.
Yes, it’s clear with an Intel Mac. I meant with M Series Macs onward and curious about having the option with them to easily replace your main drive with another, newer, faster, larger one.
The increasing confluence of iOS and Mac devices has many points where they meet, the approach to booting being yet another one.
You can absolutely run your M1 Mac from an external drive as the startup. The only reason you wouldn’t be able to is if the internal SSD failed. Which is unlikely, as I’ll keep repeating.
Onward, I don’t think it’ll change, because the M1 approach is just about managing secure policy, not at all preventing external drive use. The issue we’re really focused on is making bootable duplicates, and that (at least for now, probably worse in the future) will probably not improve. But that’s really distinct from a bootable external drive as your main drive.
Ah, it finally sinks in. Cheers.
In one of his posts on this topic, Howard makes the analogy that 1TR is essentially the same as the firmware on an Intel Mac – if the firmware dies/becomes corrupted, you can’t boot from an external disk. The difference with Apple Silicon Macs is that the firmware is no longer a separate chip, but a hidden partition(s) on the internal storage. Disk corruption on what you see as your ‘internal drive’ in MacOS is not going to cause problems for the 1TR ‘firmware’. As @glennf points out, if 1TR isn’t working you most likely have a significant hardware issue.
(There are obviously loads of differences in how the ‘firmware’ actually operates between the two platforms, but you can simplify for a high-level overview of whether it’s possible to boot from an external disk.)
And that issue is really about how difficult it is (maybe impossible in the future) to clone the system volume in Big Sur+ to your backup drive. You can ‘easily’ create a bootable duplicate by making a duplicate of your data volume and then installing Big Sur (or presumably future MacOS versions) onto the duplicate. The issue is that you then have to remember to boot into this duplicate and apply system updates whenever they’re released. There’s no way for drive cloning utilities to incrementally update the system volume on the duplicate by copying changed files from your boot drive.
By the way, great article Glenn – it brings this complex set of changes together in a single easy to read reference
If I’m installing Linux in the distant future, I’m less likely to accidentally format firmware, compared to essential partitions on an internal SSD.
As long as you stick to fuzzing with the container that holds the Data volume (disk0s2) you’ll be fine. You just want to make sure you keep your fingers from touching disk0s1.
I think somebody installing Linux on an ARM-based Mac is so far beyond mainstream that they can be expected to be knowledgable enough not to nuke the bootloader and “firmware” (well not so ‘firm’ now I guess).
But even if you accidentally do, it’s not the end of the world. Just get another Mac hooked up and use Configurator to clean up the mess and restore the initial setup.
Source of that beautiful schematic:
We think. Yes, the iBoot and iTR code appear as separate APFS containers on a single SSD, but teardowns have shown that there is a 64MB NOR flash chip alongside the multi-gigabit NAND flash chips that form the SSD.
We don’t yet know what that flash chip holds. If it’s the iBoot and 1TR containers, then we’re no worse off than what Intel Macs have. I’m hoping that someone will be able to figure this out and let the rest of us know.
In my view the ideal solution would be for Apple to make the SSD user-replaceable, maybe with some form of physical lock on the access door. That way you won’t end up with a brick if the SSD fails.
I totally get and agree with the security thing, but having a replaceable SSD would not compromise that as the data on the drive would be encrypted and there is no difference then between stealing the drive or stealing the whole system.
Either way you will need to have a backup if you are worried about the risk of theft, but at least with a replaceable SSD it could be replaced if it fails so that you aren’t left with junking the whole system and getting a new one if it is out of warranty.
IMHO this fear of failing SSD is exaggerated. Very few iPhones/iPads have suffered from it. Now with Macs I just don’t see why we should expect so much more. Sure we hold on to our Macs a bit longer and read/write patterns are different, but so different to expect 1-2 orders of magnitude difference in failure rates? Doubt it.
The real issue IMHO is that these days (ands this started well before M1) everything has to be configured right at initial purchase time. Later recognize you want more storage? You’ll need to buy a new Mac. On an iPhone that might be easier to handle because most people probably upgrade on a max 3-4 year schedule, but Macs are generally thought to have more life. Maybe no longer, at least in terms of initial owner. It will be interesting to see if this eventually puts some pressure on traditionally high Mac resale value.
My iPad (the only one I’ve ever owned) is as old as my MacBook Air – both from 2013. The iPad continues to work just fine, no failed SSD. It is a bit slow now and I’ll likely replace it soon, but the same is true of my MBA. I imagine there are a lot of people that hold onto iPads for a similar amount of time as their Macs and as you say, there aren’t loads of stories about failed SSDs.
Yeah, this is the real issue for me too. One of the main reasons I’ve not yet replaced my MBA with the new M1 ones is that I’m hoping the rumours of compact flash slots coming back to MacBooks are true. It’s useful for transferring photos from my Fujifilm camera, but the big reason I love the CF slot is that it provides a reasonably convenient way to add storage to a Mac laptop. Before I replaced the SSD in my MacBook Air with a larger one, I had a 256GB CF card I carried around all the time and used for a subsection of my files. (And of course it was included in my backup strategy!)
It’s important to realize that what we call an “SSD” on an M1-based Mac (and Apple laptops in general, for quite some time) is really just one or more chips soldered onto the motherboard. There is nothing anyone would recognize (or that any other company sells as) as an SSD that could be removed and replaced.
Yes, pretty much my point. It would in my view be better if this were not the case.
What no-one seems to know (as far as I can find out) is what the interface is between the SOC and the “SSD” (or whatever one calls it!). Assuming it is not some form of direct addressing from the memory management circuitry (which maybe it could be) it is likely that there is a bus which could be implemented through a connector rather than directly soldered connections. Yes, it might be very slightly less reliable, and cost very slightly more to manufacture, but at stake is the reputation of M1 Macs.
In time we will know, but if there is any likelihood at all that the “SSDs” will fail before people feel they should do (7-8 years maybe?), resulting in bricked systems, Apple Silicon based Macs are going to get a drubbing from the press and anyone else who is out to get Apple (of course no-one out there wants to do that, do they?).
Apple must be incredibly confident that these SSDs will last for the life of all the other components. Let’s hope that confidence is not misplaced. I am personally apprehensive about getting an M1 Mac at present purely because of this issue.
This isn’t an M1 Mac issue, so I’m not sure how this will impact the reputation of them as opposed to Macs in general. The ‘SSD’ on MacBooks has been some chips soldered to the logic board since around 2016 I believe, so going on for five years now. So far I’ve not heard that failure of these storage chips has been an issue.
Also, in your list of benefits, you left off one that I think is key to why Apple has gone this direction: size/space. Soldering the storage chips directly to the logic board saves a lot of space versus a connector and supporting card. And not just the reduction in actual space, but there’s an increase in flexibility as to where they go and the overall layout of the machine. I think if Apple could offer replaceable SSDs and not have to sacrifice any space or layout flexibility, they would have continued to do so (ditto for the battery).
Apple has no motivation to do this and it’s clear from the last several years, it’s not a direction that they feel has any value in taking, or they would have used the M1 as the opportunity to do so with a clean slate.
I realize it’s frustrating to lack an upgrade path, as I have certainly felt that with my last two non-upgradable laptops, when I finally left the “swap a hard drive or SSD” pathway. But Apple is almost always looking for the intersection of manufacturing complexity reduction, material reduction, price, and mass market.
Relatively few people need to update the storage on their laptop drives in the current era of 500GB and 1TB drives predominating; Apple wants to push them into upgrading a laptop. I don’t know this as a fact—but it’s a supposition given Apple’s high ratings among customers in published surveys and the fact that it addresses product needs by changing out products.
If it were truly a thing Apple needed to do, they could have a side module you could pop out and stick a new SSD module into, I’m sure.
On the desktop and via Thunderbolt 3 there are tons of opportunities for drive expansion, so it’s as if Apple is channeling that desire into that particular path.
Fewer connections results in fewer failures, too. The more you have to package something and plug it together, the more likely some portion may be a weak link.
The difference now is that the system is dead if the SSD fails. That wasn’t the case previously, and that’s the difference for me. You’re all correct with everything you say, but the stakes are higher now.
And, as signal voltages are made smaller, connector corrosion becomes a primary failure mechanism.
I’ve read this article a few times. I’m not seeing how this (to be specific the 1TR partition) is making the Mac more secure.
The linked article by Howard Oakley is a great place to start on that technical journey. I try not to wave my hands and whisper trust me, but I think it gets very technical very quickly, and most of our readers aren’t interested in quite low-level issues.
The basics: Past attacks on firmware through update mechanisms make it a feasible and commonly attempted pathway to bypass hardware and software protections on a Mac’s boot process. Even with signed updates and other secure mechanisms, Thunderbolt and other firmware has been maliciously rewritten in theoretical and in-the-wild cases.
Shifting some of the boot process into the Secure Enclave Processor OS (sepOS)'s Secure Boot system and having some elements on a volume that’s cryptographically locked and validated by the Secure Enclave means that it’s nearly impossible to use firmware as a path in.
The Secure Enclave’s firmware can be updated, and Apple’s revive/restore process described in the article is a way to repair or replace the sepOS and reinvigorate Secure Boot.
Using the SSD to store system security policies for startup volumes provides a secured, specific, and controllable place to store permission that’s volatile (can be rewritten) but isn’t connected to weak firmware. To my understanding of Secure Enclave, the policy can’t be stored in the Secure Enclave and retrieved. However, it can be stored on the internal SSD’s 1TR, and then the Secure Enclave used to validate its authenticity in a very strong, ostensibly unbreakable fashion. (That is, the crypto is good, but someone could find an exploit as always—it’s cryptographically strong.)
That may not sound like enough of a win to you, which is why I included a little speculation in the article. There’s clearly a combination of factors related to architecture, simplicity, security, and technical support cost that together made this new approach the right one for Apple, despite the historic change.
The computer for the rest of us, 1984 - 2020. RIP.
Whenever I have to make the transition to Apple silicon, I’ll miss a simple, reliable Thunderbolt, bootable clone that can boot the Mac even after its internal storage has failed.
I think people really need a reality check. These are SSDs we’re talking about, not hard drives. Unlike HDDs, SSDs have no mechanical parts and very rarely fail, especially not the quality stuff that Apple has been relying on lately.
If on a previous T2 Intel Mac you relied on firmware to provide you with Recovery Mode when something goes sideways, rest assured the M1-based Mac will just as well provide you with 1TR from its internal solid state memory. There is really no reason to panic here.
I’ve been an Apple user since 1978 and a ‘developer’ since 1984, having gone through every model, including 6 Lisas and 10 PB100s. Why? because computers fail and parts could be swapped and I needed to keep going quickly and work from anywhere. My MBP is a 2010 that runs Catalina and I backup with bootable clones of 2TB disks (Apple has ‘stolen’ iTunes data so no cloud) so I can swap disks into duplicate backup hardware and keep going quickly. I need to upgrade for speed and multiple cores, but can/should I imagine 11 years of convenience and stability with a new machine?
But we have read reports from people with dead SSDs. Mostly older SATA-based models that probably have older technology (both in the flash chips and in the wear-leveling algorithms), but there is one other concern - virtual memory.
When an app on a phone consumes all RAM, iOS kills background processes and if that’s not enough, it kills the foreground app. When an app on a Mac consumes all RAM, it starts swapping. That produces far more writing to storage than occurs in any other scenario. If it happens on a regular basis (perhaps because the Mac doesn’t have enough RAM for the tasks it normally performs) then that could lead to premature SSD failure.
Whether such failure will result in a dead SSD or simply make it read-only is a question we don’t have an answer to yet. If the former, it may require a motherboard replacement. If the latter, then you may be able to switch to an external SSD.
Another question we don’t yet know the answer to is if the flash chips can be replaced by someone with the necessary soldering skills. If the chips are cryptographically linked to the M1 (much like how the flash modules in a Mac pro are linked to its T2 chip), then dead chips are unreplaceable. If, on the other hand, you can replace them with new chips and run Configurator to re-create the iBoot and 1TR containers, then many independent repair ships will be able to get you back up and running for much less than the cost of a new motherboard. (Assuming, of course, that Apple didn’t design their board around proprietary flash chips that the manufacturer isn’t allowed to sell to anyone else.)
Honestly: would you react the same way If this were not Apple e.g let’s say this was Lenovo.
e.g. Lenovo notebooks would not boot from an external drive if the internal drive fails. Lenovo notebooks need to be restored from a 2nd Lenovo computer if a drive partition is overwritten. Albeit: they are more secure though.
I think it’s appropriate that there’d be some consternation about this. At least about how to adapt to future troubleshooting scenarios.
IMO this is a marked deviation from previously, in that, if I had a misadventure, I could boot a Mac from a floppy drive, or a CD-ROM drive. Then, Internet Recovery. My understanding is that Apple never really provided first party tools to easily make bootable clones, but we could install macOS onto an external drive e.g. a thumbdrive, which could at least lead to a computer that could start up.
Apple-provided no-moving-parts parts have failed before: e.g. graphics cards, crackly AirPods, ring-of-death HomePods. Firmware updates on Series 3 watches. I had a backlight failure on a 2017 MacBook Pro. After servicing, the Touch Bar didn’t work until serviced again. The MacBook Pro was out of action for 1.5–2 months, even with a local Apple Store. Although: during a pandemic.
Just get… I’m afraid to ask: do people here use Apple Configurator?
Ooh, I like. But then… it’s terrible to use. This app is ripe for a replacement with something with more features and that is easier to use. Maybe even soon. Maybe even with Family Sharing ± Screen Time support. Because basic management of multiple Apple devices quickly gets tedious (e.g. system updates).
One thing I’m wondering about.
This seems to imply that in order to give my machine in for service I will need to give them my login password so that the service people can unlock the drive and do any testing needed. Is this the case?
On an Intel machine with filevault activated I can be satisfied that the service tech is unable to access my data (or even know my login password) and doesn’t need it in order to do their work since they can test the machine by booting from an external volume.
But going forward it seems I need to give them the keys to the kingdom. I work in an industry where I have have fairly sensitive client data on my laptop and I like being able to keep that data safe from service techs.
Am I misunderstanding the situation? Are there any strategies to mitigate this going forward for when I inevitably do all my work on an Apple Silicon machine?
Set up a Guest user account that is visible on boot up that service can log into without a password. I have one set up on my MBA for just such an occasion.
I’m not sure about M1 macs but my 2020 MBP requires an administrator account in order to boot into recovery mode
That’s an interesting question, but I would be shocked if Apple would ever ask for your login password—it would be a huge privacy breach and legal liability. Apple tells users to enable FileVault and make a backup, and that it isn’t liable for lost data. And, of course, Apple never asks for your iPhone or iPad passcode when you send those devices in for repair.
I have to assume that Apple can tell if a device—Mac, iPhone, or iPad—is functional after repair with respect to the problem it came in for without any access to the user’s account and data.
Well… it’s not just Apple that does service. I’ve had keyboard and screen service done locally (at an apple authorised repair center). But given the need for them to be able to boot the machine and… say… test the keyboard or something… I’m not sure how they could do that without my login credentials (again, assuming I’m not misunderstanding the issue)
I can think of a number of ways to mitigate the access to sensitive data… but the sheer fact of needing to give admin privileges to a service tech. That seems Very Not Good ™ to me.
That said. I can count on one hand the number of times I’ve actually needed to send one of my macbooks in for service over the years. But it does happen and it would be good to understand the situation fully so I can prepare before a problem occurs.
If Apple needs to test the keyboard or trackpad, they can just boot what you’ve got and click/type on the authentication screen.
As @ace wrote, Apple doesn’t try to preserve your data. If they feel that a motherboard swap or (back when they were replaceable parts) an SSD swap is necessary, they’ll just do it and return you a computer with a clean macOS installation, telling you to restore/migrate from a backup.
If your problem is something where they need to log in (maybe in order to run software diagnostics), my experience has been that the Genius you talk with will work with you to run some tests, and will probably recommend a motherboard swap if he can’t fix it while you’re there.
I have, on the other hand, seen some third-party repair shops ask for login credentials so they can properly test the results of their repairs. Which is important if you’re repairing a board, since booting to the login screen really won’t be enough to prove that it has been properly fixed.
I would like to think that any reputable shop will be able to work with you if this is not acceptable for some reason (maybe tell you to enable booting from USB so they can boot a shop-disk for testing purposes, while leaving your internal SSD encrypted). But, of course, this will all depend on the policies of the shop and the nature of any required repairs.
Of course, if you require data recovery, then you’re going to have to give them login credentials because they won’t have any other way of getting your data off of the device. But again, a shop may be able to work with you if the data is sensitive (e.g. invite you to the shop to supervise the data recovery process).
I wasn’t referencing booting into recovery mode…if hardware needed to be checked or OS reinstalled, service should be able to do that via network boot in store. They definitely could with Intel Macs.
Again, a Guest User account set up in advance by you requires no password entry on the part of service. And when they log out, it’s like they weren’t even there, everything gets restored to as it was before.
The article talks about needing to set the boot device from recoveryOS which is why I went down that route. It would be interesting to see if you can network boot an M1 machine in this situation or if the same security policy applies.
Re: the guest account. I totally see what you’re saying now. Yes. this would definitely work and I’ve activated it on my machine (though it’s not, strictly speaking, needed at this point in time)
Sensitive client (or personal) data should never be stored in cleartext on your machine. One solution in OS X and macOS space which has served well over many os versions is use of an encrypted volume to store sensitive data. A simple encrypted volume or FileVault encrypted volume would do the job. The non-FV volume has the advantage of not needing special backup procedures and can reside on internal or external drives. This is what applications such as 1Password do to securely store Passwords and other sensitive data.
Note that segregating sensitive data to external drives isolates that data from Apple or other service technicians. This makes Intel/Apple CPU differences moot in most cases. And thus, either macOS boot in a storm will do.
I don’t think Apple does it now, but they have in the past. I took a computer into the Apple Store for a hardware problem, and I was a bit surprised when the Genius asked for a password. If I recall correctly, he did suggest just setting up a test account if I was uncomfortable with providing a password. It didn’t really matter in my case because I had just wiped the drive and reinstalled the OS, so I just gave it to him.
Oh yes definitely. My volumes are always filevault encrypted – it’s the only way I would ever let this thing out of my direct eyesight, nevermind sent to a repair center.
External drives are also definitely a possibility but it makes working in some of the locations I find myself a bit more difficult (sometimes I need to work on my lap sitting on a stool, for example) so I tend to keep things onboard if at all possible.
Exactly my experience as well. This was about 3 years ago, here at the Apple Store in Berkeley.
I’d be fine giving them a guest account or even a fresh admin account. But I would never give them my account. If that were to become necessary, I’d wipe the drive first.
A few weeks ago I went to an Apple Store to have my iPhone Battery replaced. The Genius, who was sitting across from me, asked me to type in my password and then change it to one he gave me. I reset it to a new password when I got it back.
Interesting. Sounds like when Apple employees are working with you in person in an Apple Store, they’re likely to ask for a password or passcode. Makes some sense, I guess, since they’re not likely to have the same level repair capabilities as the main repair centers.
I figure it’s good to have a guest account enabled anyway.
If you give me a clean admin account I can get at all your data that is not encrypted.
Bingo…so my thought is to max the RAM and get at least a 2TB drive in anything you buy these days
True…but your iPhone or iPad is just as dead if it’s SSD fails and we haven’t heard of great problems in this area…but granted it is true that Macs generally hang around longer than either of those portable devices. Also…there are varying definitions of “dead” for the SSD. From what I’ve seen here and elsewhere as long as the firmware (not the right word but whatever) part that provides the verification/authorization/allows the external drive to boot works then all is good…and that part will get used and written to far less than main memory so it is less likely to fail. The most likely failure mode of these SSDs is likely to be using up all the write cycles and becoming read only…again from what I’ve read…and read only should allow external booting to take place.
Besides…Apple’s gonna do what Apple’s gonna do…and if the alternative is going to Windows then I’m guessing that the vast majority of us will just gripe and go along with it.
I wonder if reverse backup is an option - I didnt read the article yet but if booting into an external drive and updating that drive is possible would backup software be able to “clone” to the internal drive just like it used to the other way?
Yes, but that doesn’t mean that we should never question the approach they decide upon.
Almost everyone here seems totally accepting of this and relatively relaxed about it, and I honestly do see that there is some logic to it, particularly from the security perspective. However in any compromise policy (which, let’s face it, this is), there will be pros and cons, and the big question which in reality we don’t know the answer to is whether any of the cons will turn out in retrospect to have been serious enough that they should have been considered show-stoppers.
It’s just like government policy - sometimes things work out for the best, but sometimes although some (“misguided”) people question it, government goes ahead anyway and the policy turns out to be a massive mistake in the long term.
No-one knows for certain, of course, until we get to the long term, but from everything I have heard there is a risk here that over this timescale this will be a bad policy that results in loads of bricked Macs for which the only outcome is that they just have to be junked (or, optimistically, recycled). And these are not cheap enough items to be considered “disposable”.
Only time will tell, of course, but Apple have not given me any concrete reasons to be optimistic about this except simply “Trust us”. Am I the only one who doesn’t?
So am I correct in understanding the article to say that if you have erased all partitions, your only option is a second Mac and Apple Configurator? This doesn’t seem to quite be explicitly stated in the article.
If you’ve managed to format all containers on your internal SSD, yes. Or you go to an Apple store and they can set up your M1 Mac for you again.
You really have to make a deliberate and non-negligible effort to wipe out all containers on the internal SSD though, so it’s not as if this were some trap an unassuming casual user could just fall into. You deliberately have to nuke it, and if you follow those procedures I think it’s fairly safe to assume you should know what you are doing and have at least a rough idea of what the fallback and/or rollback entails.
The situation I’m worried about is if someone is putzing around with Linux (or perhaps the Mac command line; I accidentally fried a drive that way when I was trying to set up a home-rolled Fusion drive).
Join the discussion in the TidBITS Discourse forum