Originally published at: An M1 Mac Can’t Boot from an External Drive If Its Internal Drive Is Dead - TidBITS
A little-noticed fact about M1-based Macs has started to get some attention. If the Mac’s internal drive is dead or fully erased, you can’t boot from an otherwise valid external drive. Why would Apple make that choice? Security, security, security.
Originally published at: An M1 Mac Can’t Boot from an External Drive If Its Internal Drive Is Dead - TidBITS
This beginning of this article reads as if Bombich discovered this. In fact, he might have just publicized it more prominently than others. Various other sites (including this board actually) were discussing this fact long before CCC 6 was released or Bombich penned that blog entry. This article gets into that and credits Howard Oakley, but only far down.
I would just once again try to take the opportunity to plug Howard Oakley’s blog because he has put tremendous effort into testing and documenting exactly how M1 Macs boot, how they behave with external disks, and what cloning workflows can be successful. He discussed things like iBoot, 1TR, and Configurator essentially from the moment M1 shipped and he has been updating information ever since. Let’s give credit where it’s due.
This was a joint effort. Glenn and Howard both speculated about technical aspects of this situation enough to help Mike get Apple to confirm what they suspected. We’re all more knowledgeable thanks to contributions from all three of them.
I wonder if the comparison to iPhones and iPads regarding SSD reliability is straight up since most (home users at least) probably replace their phones and tablets more often than their Macs (definitely true for me). A Mac is more often a bigger investment too. I assume there may be no “right to repair” (yourself) should your controlling SSD fail someday.
On the one hand, I’ve never seen a mobile device’s SSD fail for any reason other than physical damage. I’ve never read of anybody’s phone or iPad hitting the flash’s write limits.
On the other hand, mobile devices don’t (as far as I know) perform swapping. When RAM fills up, the OS starts killing processes. Which it can do because there is only one (or two in recent versions of iPadOS) foreground app and everything else is supposed to be designed to gracefully handle being killed when in the background.
On a Mac, however, there is a swap file. If you exceed your system’s RAM, the swapping is going to pound those flash chips pretty hard. This will definitely shorten the life of the SSD if it happens on a regular basis, but we don’t know by how much. If it means the computer dies in 9 years instead of 10, that will probably be fine for most people. If it dies in 3 instead of 10, that will make headline news.
Finally, when an M1 Mac’s SSD hits its write limit, we don’t know what the practical impact will be. Commercial SSDs are supposed to become read-only when this happens, but we’ve all read stories about devices that failed altogether at that point. If Apple’s fails, the computer will be bricked (unless some independent repair shop can replace the two flash chips and then run Configurator to re-install the iBoot and 1TR partitions). If it becomes read-only, then it might be possible to keep on operating using an external boot device.
Unfortunately, we probably won’t know the answers to these questions until we start seeing these SSDs reach their end-of-life. Hopefully not for many years, but we just don’t know at this time.
I am a little confused by several points. The first is speculation that firmware update failures create a big cost in tech support, which is then disclaimed with a “we don’t know”. It makes it sound like a WAG ( hey I’m old that used to be a saying). I have never read about or heard of failures in the firmware update process so I’d expect it is extremely rare. A security vulnerability is more likely the reason, as is pointed out. I would love to hear some statistics on firmware update failures. Anyone?
The second is about “completely wiping disk”. Is this even possible except through a process involving an external boot disk to begin with? That seems like a big design flaw to allow disk utility (or related processes) to eat the operating system that spawned it. If this is in fact a thing, that would make a good article
There have been many cases in the past where upgrades to the firmware resulted in a bricked computer. It doesn’t happen often, but when it does, recovery can be extremely difficult and may require servicing by someone with special tools.
As for completely wiping the disk, yes, you need to have booted from something else. On an Intel Mac, this is no big deal, because internal storage is functionally no different from external storage. On an M1 Mac, however, the internal SSD has two APFS containers that external boot volumes do not have, so a complete wipe (not just removing the system container) would result in a bricked computer until you restore those containers using Configurator.
Whether Disk Utility will let you perform this kind of erasure is an interesting question I haven’t yet seen answered.
many cases: 100? 500? 1% of installed base? I’m thinking some cases is more apt. I’m sure it happens, hardware faults, etc, but as you go on to explain “it doesn’t happen very often”. I am not trying to nit, I am seriously curious at how big a problem this is. Obviously that is the same technology used in windows, so maybe there are some statistics somewhere.
If you want a peer-reviewed scientific study, I don’t have one. Like all of us, I’ve read the news reports and blog articles.
Clearly it isn’t a big problem or we’d be reading about hundreds of bricked computers every week. But it is nevertheless important to recognize that it does sometimes happen and there therefore needs to be a way to recover that doesn’t involve Apple replacing the motherboard. Which there is - using another Mac and Configurator to re-create these special APFS containers.
Thanks, that is clear. and no I was not looking for a peer-reviewed study. Again I didn’t mean to sound nit-picky but “many” makes it sound like it is a pervasive problem. Your wording above is very clear, thanks again
Yeah, @Shamino has said almost exactly what @glennf or I would have. There are plenty of reports of firmware-related problems (which are probably more expensive than others), but as with nearly any hardware problem, it’s almost impossible to quantify it. Apple does do that and uses that data to prioritize fixes and even set up free repair programs.
I may have written this not as crisply as needed! The speculation is not whether firmware updates brick Macs. There’s a long history of this—the exact number, only Apple knows. In 2019, some people had bricked Macs due to a Catalina update related to the EFI firmware for their drive, in fact! Apple doesn’t release statistics on this, and we don’t know their tech support costs. It can cost Apple $25 to just pick up the phone and help someone for 10 minutes. It’s hundreds to several hundred dollars to service a computer.
So the “we don’t know” part is that I cannot tell you if failed firmware updates or handholding with firmware results in a million or $100 million in costs per year. It isn’t free, though, and it might be a significant contribution to the change? Or it might be entirely driven by security and architecture concerns.
I didn’t think it was possible, because Disk Utility is supposed to prevent you from erasing those 1TR partitions on your internal drive. However, it can be done, apparently—see that thread in which Mike, Howard, and I are talking about the boot issue. In that case, you can use the revive/restore operation to get back to business.
Given the number of Macs, it could be hundreds each week, since there’s no central reporting repository, and most people lack a soap box to stand on. It’s bigger than zero, and not so common that it’s constantly talked about, but it’s ultimately known only to Apple.
Howard’s amazing and we have had a very productive correspondence. In my book, I link to him extensively; he’s been a great help with questions; and I recently was able to give him a little detail that he added to one of his posts, which made me happy to contribute back. He’s invaluable. I don’t think there’s anybody else digging in so deeply to the disk partitioning and structure stuff out there—certainly nobody who writes for ordinary mortals.
Coincidentally, Howard just posted this excellent brief summary about why Big Sur isn’t useful to clone for an M1!
Fascinating article, having dealt with wiping and formatting an internal SSD albeit on intel last week.
I relied on the Recovery partition to install, but I did boot off the external SSD clone to both test it and restore the Data partition using Chronosync. I had wondered whether an external fast large SSD would be an option in the future as my main startup disk, not something Apple wants to encourage I see.
I hadn’t considered other partitions, where Recovery resides etc.
I just read Howard’s excellent summary thanks to Glenn’s link. (I’ve read several of Howard’s blogs on other subjects so I am very thankful for him. I am very familiar with Mike Bombich’s work although I haven’t read from him in a long time.)
The Mac system keeps getting more complicated and I do think that percolates down to the everyday user. No doubt security is critical but is there no way that Apple couldn’t make provisions for booting from external drives when the internal SSD has failed? Does this necessarily undermine everything or is that how Apple wants it to be anyway? Of course booting into macOS externally without the internal SSD in control would in part be a different operating system. Assuming most basic changes are not that tough to pull off (actually, it’s already in place for Intel Macs) does security become impossible? If it were possible, I suspect the future would be that very many more users would take advantage of external booting in normal usage. Then Apple would lose much control which is perhaps what’s most important to it. (With perhaps the benefit that the first generation, at least, of silicon Macs could have reduced expiry dates.)
When OS X first came along (or rather was decided on), I was overjoyed because I was a daily Unix user. But I felt the implementation was lacking because less sophisticated users were too easily confused by the interface. I don’t know exactly what I would have done except that I would have done many things differently. I wouldn’t have tried to hide Unix any more than Apple did, but I’d have worked hard at making it easier. A big problem with Unix is the heavy reliance on file system links. As the OS grows, the complication of linking grows. Links are a bit like “goto’s” - often considered evil in programming. But they have their place and are often invaluable. I see the new Mac system container volume disk security structure is especially complicated due to complex links. Could there have been a better way?
Another bugaboo of Unix and Mac OS is file and directory permissions. Disk Utility must have reported millions of permission problems to me over the years and they persist through Catalina (I don’t remember if my external Big Sur disk reports them). I think Apple could have done a far better job at reducing permission problems or providing reliable methods to ease them.
These are issues that affect everyday users so improvements in security is just one of many goals. Also, I wonder if the percentage of more sophisticated users is growing as the number of desktop OS users has dwindled - OR, if the sophisticated users are dying off and younger users are less interested in understanding as much as possible.
Apple implemented this “won’t boot (anything) if the internal drive is dead” ostensibly in the service of security. Sure, security is important, but how much for whom? Some arguably need more of it than others, but for many it comes down to their comfort level. Some people feel they need well-stocked bomb shelters or safe rooms in their homes, some (I, for one, and probably many more) don’t feel that insecure. Apple ought to allow users to decide, which involves weighing the risk/benefit/functionality/cost trade-offs. They did this with FireVault, and, though I’m no tech expert, I imagine they could do it with this issue as well, if they wanted; it’d be much more user-friendly. I wonder what Apple gains by becoming so user-unfriendly? They must profit somehow, but I can’t imagine how.
It 100% is. An external bootable drive is completely feasible. I’m using it with a 2017 Intel iMac and Big Sur. (See An External SSD Gave My iMac a New Lease on Life, 9 April 2021.)
But that’s my main drive. It’s what I always start up with, and when I get Big Sur updates, I apply them in a Big Sur session booted from that drive against that drive. Since this is an Intel iMac, I could keep running even if my Fusion drive died, which is feasible, since it’s got spinning media as part of it.
On an M-series Mac, an unused internal SSD, except for external boot policy, should experience nearly no wear and should run forever.
I’d refer you back to my article, which is that my suspicion is that external bootable drives must be such a tiny fraction of use cases coupled with the extreme longevity and reliability of modern SSDs, that the intersection of a failed internal SSD on an M1 Mac (that’s out of warranty, too) and someone who has an external drive they could boot from or are using seems very very very low.