Articles index

macOS Recovery: Bug or Feature?

July 9 2020 by Jeff Johnson
Support this blog: Link Unshortener, StopTheMadness, Underpass, PayPal.Me

If you enter diskutil list in Terminal, you can see that your Mac's internal disk has a recovery volume, and if you hold down ⌘r at boot, your Mac boots into the recovery volume. If you've installed multiple macOS boot volumes, either on your Mac's internal disk or on an attached external disk, you may also have multiple recovery volumes. When you hold down ⌘r at boot, your Mac selects the recovery volume associated with the Startup Disk selected in System Preferences, so you can change the recovery volume by changing the Startup Disk. Starting with macOS Catalina, the recovery volume requires a login for some reason. According to Apple's support documentation, "You might be prompted to enter a password, such as a firmware password or the password of a user who is an administrator of this Mac." The word "might" seems a bit misleading: you will be prompted to enter a password on macOS Catalina and later (later AKA Big Sur). The big (Big) question, though — and the purpose of this blog post — is, the password from which volume?

My 2014 MacBook Pro (no bloody T2, T1, or T0) has macOS Mojave installed on the internal disk, with FileVault enabled. For testing purposes, I have an external disk with High Sierra, Catalina, and Big Sur installed; High Sierra and Catalina are in one APFS container, and Big Sur is in its own APFS container, because "If macOS Big Sur 11 beta is installed into the same APFS container as previous versions of macOS, system software updates can no longer be installed on the previous versions of macOS." None of the external volumes are FileVault, because I previously ran into a bug where FileVault rendered the external volume unbootable, but that's not the story of this blog post. The story of this blog post is booting into the recovery volume with this configuration. It works just fine in High Sierra and Mojave recovery, no password required. When I boot into recovery for Catalina or Big Sur, on the other hand, I do get a password request, which is not surprising given the aforementioned support document. What is surprising is that the Catalina and Big Sur recovery volumes request the password for the admin user on my Mojave volume! That's the only option: the Catalina recovery volume doesn't show the admin user from the Catalina installation, and the Big Sur recovery volume doesn't show the admin user from the Big Sur volume either. Once I enter the Mojave admin password, it unlocks all of the recovery functionality, including the ability to run Disk Utility and Terminal. Note that unlocking the recovery volume with the Mojave admin account doesn't seem to unlock the Mojave FileVault volume, strangely.

I honestly can't determine whether this a bug or a feature. Is there a bug in the volume lookup, or is it intentional that a macOS recovery volume is only unlocked by an admin account on the Mac's internal disk rather than an admin account on the macOS boot volume associated with the recovery volume? In other words, is this supposed to be a hardware lock or a software lock? And what happens if the internal disk has multiple macOS boot volumes?

Let me explain how this issue came to my attention. If I need to boot into recovery, I usually just boot into Mojave recovery — in order to disable System Integrity Protection, LOL. Note that SIP seems to be associated with the hardware rather than the software, so if you disable SIP using Mojave recovery, then SIP will also be disabled when you boot into Catalina or Big Sur. Yesterday, however, I needed to boot into Big Sur recovery specifically, because only Big Sur understands the format of the new cryptographically signed Big Sur system volume. Mojave and Catalina both show an "Incompatible Disk" error when they try to mount the Big Sur system volume. Yesterday I updated from Big Sur beta 1 to beta 2, which went smoothly except for the fact that the update doubled the size of my read-only system volume to over 27 GB, which didn't leave me enough free space on the partitioned external disk to install (the enormous) Xcode. Without Xcode, it's impossible to adequately beta test Big Sur as a developer. It turns out that Big Sur always boots from a snapshot (an APFS snapshot that you can see with diskutil apfs listSnapshots, not a Time Machine snapshot that you'd see with tmutil listlocalsnapshots), and updating to beta 2 apparently added a new snapshot without deleting the old snapshot. I tried to delete the old snapshot, which was listed as "Purgeable" by diskutil, but Big Sur claimed I lacked permission, even with SIP disabled. This is why I needed to boot into Big Sur recovery, and how I discovered that it wanted my Mojave admin password instead of my Big Sur admin password. (The user accounts have different names, in case you were wondering.)

If anyone (who probably works for Apple) has additional technical details about this, I'd appreciate it. I'd also appreciate it if they removed the damn password requirement, which doesn't seem very secure if you can just run an earlier version of the recovery volume to bypass it.

Support this blog: Link Unshortener, StopTheMadness, Underpass, PayPal.Me

Articles index