All non-system files should remain intact (eg: User folder, 3rd party applications, etc.) as those reside on a separate "Data" volume. You can just reinstall macOS, and this will in turn overwrite all system files, setting them back to default and undoing any customizations, and thus making the root volume pass any cryptographic signature checks again with SSV. How do I undo these changes (allowing a drive to boot normally again with a Mac that has SSV enabled)?įortunately, all you need to do is boot into recovery mode, which should still work since it's separate from the root volume. Warning: snapshot fsroot/file key rolling tree corruptions are not repaired they'll go away once the snapshot is deleted However, that message is misleading, as no repairs will actually be done, granted you intentionally modified the root volume itself, and the Mac will continue to fail to boot the drive so long as SSV is enabled. In addition, if you boot into Recovery Mode and run Disk Utility, all checks will technically pass for the physical disk and its container, although you'll see a warning when checking the container stating: Unless you remember this caveat regarding SSV, this can lead to some very confusing situations to the untrained eye that can make it seem like the drive or macOS install is corrupted. The progress bar will make it maybe 5%, followed by the computer suddenly ramping up its fans and shutting itself down. When you boot a Mac that has SSV enabled, there's really no explicit error seen during a signature failure, at least in a normal GUI boot (ie: boot screen that has an Apple logo and progress bar).enrollment profile that requires FileVault being enabled at all times, this can lead to even more of a headache. Every time you need to re-disable SSV, you need to temporarily turn off FileVault each time.If you zap the PRAM of a computer and clear its flags, you'd need to boot into Recovery Mode and repeat step 1 to disable SSV again, as it gets re-enabled by default.Therefore, you'll need to force it to boot into the external drive's Recovery Mode by holding "option" at boot, selecting the external disk that has Big Sur, and then immediately hitting "command + r" in just the right timing to load Big Sur's Recovery Mode. If the host machine natively has Catalina or older installed to its internal disk, its native Recovery Mode will not support the "csrutil authenticated-root" flag in Terminal. If you modified system files on a portable installation of macOS (ie: on an external drive) via this method, any host computer you plug it into will fail to boot the drive if SSV is enabled on the host.You'll need to keep SSV disabled (via "csrutil authenticated-root disable") forever if your root volume has been modified.But beyond that, if something were to go wrong in step 3 when you bless the folder and create a snapshot, you could also end up with an non-bootable system. Obviously, you need to take general precautions when modifying any system file, as it can break your installation (as has been true for as long as macOS itself has existed). What are the caveats of modifying system files / breaking the seal of the root volume? has this page and this page that have a more complete explanation of how SSV works in Big Sur. Any time you modify system files and commit the changes as in step 3 above, you are effectively "breaking the seal" on the volume, meaning it no longer matches Apple's signature of what an unmodified system volume should look like, and therefore the drive will no longer normally be bootable. In any case, what the "authenticated-root disable" option does is set a PRAM flag to disable SSV (Sealed System Volume) checks at boot for the root volume. In addition, the man page in Big Sur is very outdated, dating back to 2017. If you run "man csrutil", you'll quickly discover Apple actually does a poor job documenting the command and what various flags do. Usually, most CLI commands like "csrutil" have a "man" page that explain their usage. What does "csrutil authenticated-root-disable" do? However, be aware that the above comes with some risks, which are oftentimes not explicitly mentioned in such tutorials. Sudo bless -folder ~/Desktop/mount/System/Library/CoreServices -bootefi -create-snapshot
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |