Beware secure boot in Catalina


Saw the link to this video on Riccardo Mori’s blog:

Sometimes the firmware in the T2 security chip (which, if I’m not mistaken, is basically inside every Mac produced today except the iMac line) gets corrupted and that leads to corrupted data. Before Mac OS 10.15 Catalina shipped, Rossmann says, the problem was relatively easy to fix. Catalina, however, automatically opts you in enabling Secure Boot, a feature that, as the Apple Support page states, “make[s] sure that only a legitimate, trusted operating system loads at startup”.

“Now the problem here,” continues Rossmann, “is that if you enable Secure Boot, I can’t boot the machine into an external operating system in order to try and grab files off of your corrupted operating system the way that I used to, and I’m not able to access the drive as well via the ‘Lifeboat connector’ to get information off the soldered-on SSD because there is no more ‘Lifeboat connector’ after 2017.”

“Now, what’s really really bad here is that if you have Secure Boot enabled and your T2 firmware just decides [for] whatever reason it’s going to die, the only way that I can get the computer to work again is by… destroying all of your data. I need to erase it in order to get the computer to work again. But your data wouldn’t have been retrievable anyway, because the computer is dead. So, when the computer is dead your data is there, but to get the computer to not die, I need to erase your data. And what’s really bad with Catalina is that it seems to opt people into this by default. […] Every single customer that we have explained this to has said I don’t remember opting into that, I don’t remember choosing that”.

Rossmann’s suggestion to all people using Catalina is therefore to go and disable Secure Boot if they want to have a chance at recovering their data should a failure of the T2 chip occur.

1 Like

@bowline, are you aware of widespread T2 failures?

1 Like

Nope. But this NYC repair guy, who’s fairly well known, has apparently seen it enough to make a video.

My desktop Macs are secure at home, so I doubt when I upgrade past Mojave I’ll keep secure-boot enabled.

So, there are three choices wrt Secure Boot: Full Security, Medium Security, and No Security. Which choice is Mr. Rossmann recommending?

Side issue: What about firmware password?

I think this says it all.

This would only be a problem if:

  • You did not have any backups
  • You could not do a nuke and pave without the restore partition or internet restore
  • You’re a mac power user that doesn’t like the fact that Apple’s main customer base gets the benefit from this (namely all non-power users)

to be clear; the benefit of this feature is security.

And, there’s one glaring omission in his story. (It’s not entirely factually correct)

You can have secure boot and still boot into an external MacOS clone.

The secure boot feature talks about signed and trusted operating systems that will boot the system (= current MacOS version and Windows version)
This has nothing to do with booting the machine to get data off.

The feature to allow getting data off is the external boot feature. So if you have a clone, and want to boot from that you WILL have to have this enabled.

My suggestion would be to leave the Secure boot at Full Security and allow external boot.

That way whatever your T2 throws your way you should be ok.

oh yes: and of course enable your firmware password!


The whole point was that you cannot do that if the T2 firmware gets corrupted.

How can a firmware get corrupted?

I guess this only happens when you (or Apple) updates the firmware?

How often does this happen?

The takeaways seem to be,

  1. If your computer fails, you might lose your data
  2. He is mad (madder) that he can’t repair newer Apple computers

This (like nearly all security-related things) comes down to a risk vs benefit decision. Personally, I take the view that my computing devices are ephemeral and reinstalling a troublesome OS and restoring from a backup is the preferred, default recovery option. That makes this (mostly) a non-issue for me.

Professionally, I also like the fact that the data on a lost or stolen T2 Mac is essentially completely out of reach to anyone who may end up in possession of the device.

I do understand that others have very good use cases for wanting to be able to boot from external devices and even to run “untrusted” OSs. Thankfully there is still a way to do that.

The statistical probability that the T2 firmware can get corrupted? Can’t help with that, but iPhone firmware corruption is rare but common enough to have procedures in place for system restores. That’s not possible on the Mac if there is T2 corruption… which is the point.

I think this means you intend to use (or continue using) Secure Boot. Right?

This post seems to be saying that many T2 firmware corruption problems were caused by attempting, perhaps inadvertently, to downgrade the firmware to an older version. Of course there’s no way of knowing whether this is what Mr. Rossmann was seeing.

Rossmann’s video came more than half a year after that blog post, he never says he did that, and if you read the comments you’ll see that a subsequent Catalina update revived machines bricked from that particular issue, so it’s doubtful that’s what Rossman is dealing with.

Yes indeed I do intend to continue.

1 Like