REFInd installation won’t boot due to T2 security, despite T2 security being disabled

catalinadual-bootefit2

I've been trying to install rEFInd with --ownhfs on my Macbook Air 2019, but booting into it results in Recovery Mode starting with the message

A software update is required to use this Startup Disk.

Trying to accept installing the update either immediately fails or fails after updating for about 5 minutes, with the message

An error occurred installing the update.

Curiously, before installing rEFInd I had both SIP and Secure Boot disabled (No Security) and External Boot enabled so macOS should have no reason to complain about an unverified boot, and yet it does. I haven't been able to find solutions anywhere else (all I can find is the same issue but with reinstalling macOS and Secure Boot enabled). Does anyone know possible workarounds or solutions?

Environment:

macOS Catalina 10.15.6 on Macbook Air 2019
rEFInd 0.12.0 from bin, installed as --ownhfs on a 50MB Mac OS Extended (Case-sensitive, Journaled) behind Macintosh HD
SIP & Secure Boot off, External Boot on

Other notes:

rEFInd was also reinstalled 2 more times after the first time this happened, but it didn't change anything. rEFInd also had no warnings or errors when installing
Directly booting from the boot device menu (via Option key on boot) into a portable Windows 10 installation on an external hard drive results in a black screen
Both rEFInd and the Windows drive displays as EFI Boot with an internal and external hard drive icon in the boot device menu, respectively
macOS boots normally without issues
EFI volume only contains the APPLE folder, even after installing rEFInd

Best Answer

Recreating the Problem

Before I provide an answer which explains how to install rEFInd to work properly on a Mac with a T2 chip, I will first incorrectly install rEFInd by following a path similar to the one taken by the OP. I do this because the OP posted a comment stating the following.

Unfortunately, I had No Security set way before I installed rEFInd so this won't help with my issue.

I hope this newly edited answer will demonstrate to the OP that I can recreate the problem outlined in OP's question, then provide steps to eliminate the problem.

I am using a 2018 mac mini which has a T2 chip. The Mac is configure with the following setup.

The firmware password feature is turn off.
SIP is enabled.
Secure Boot is set to No Security..
External Boot is set to Allow.
Both Mojave and Catalina are installed in an APFS container. The label for the Mojave volume is Halibut2 and the labels for the Catalina volumes are Anchovy and Anchovy - Data.
Widows 10 is installed. The Boot Camp Assistant was used to accomplish this.
The rEFInd Boot Manager is installed in a Mac OS Extended (Case-sensitive, Journaled) volume with the label rEFInd. The refind-install script with the --ownhfs option was used to install rEFInd. Note, when a Mac OS Extended (Journaled) volume is substituted, the results are the same.

The OP's question states: "EFI volume only contains the APPLE folder, even after installing rEFInd". This is the expected result since specifying --ownhfs as an option to refind-instal explicitly instructs this script to not put any rEFInd files in the EFI volume.

The output from the command diskutil list is shown below.

/dev/disk0 (internal):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                         251.0 GB   disk0
   1:                        EFI EFI                     314.6 MB   disk0s1
   2:                 Apple_APFS Container disk1         200.0 GB   disk0s2
   3:       Microsoft Basic Data BOOTCAMP                40.6 GB    disk0s3
   4:                  Apple_HFS rEFInd                  103.8 MB   disk0s4

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +200.0 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Anchovy                 11.4 GB    disk1s1
   2:                APFS Volume Anchovy - Data          31.3 GB    disk1s2
   3:                APFS Volume Preboot                 133.7 MB   disk1s3
   4:                APFS Volume Recovery                1.0 GB     disk1s4
   5:                APFS Volume VM                      2.1 GB     disk1s5
   6:                APFS Volume Halibut2                136.7 GB   disk1s7

Note: The Windows 10 Disk Management utility was used to create a 100 MB FAT formatted partition with the label REFIND. As an alternative, I could have used macOS to create a partition between the APFS container and the Windows 10 (Boot Camp) partition.

An image of the Mac Startup Manager icons is shown below.

The label EFI Boot is used by the Mac Startup Manager when no valid label files exist in the folder containing the boot file. The label files can be created by using the macOS bless command. However, when a properly installed Windows 10 exists on an internal drive, then the default Mac Startup Manager label is Windows. The refind-install script does not install a Mac Startup Manager label for rEFInd, therefore the default Mac Startup Manager label will be EFI Boot.

When choosing rEFInd from the Mac Startup Manager, the following message box appears.

Both the OP and I installed rEFInd using the --ownhfs option. This option installs rEFInd to appear to be OS X. The firmware installed in older Macs would be fooled into thinking rEFInd was OS X and the firmware would boot rEFInd. Evidently, Macs with a T2 chip are still being fooled into thinking a version of OS X is installed, but will not boot rEFInd. As the OP discovered, clicking on the Update button will not solve this problem.

One possible solution would be to install rEFInd a FAT formatted volume that exists in either EFI or Microsoft type partition.

Fixing the Problem

Below documents the steps taken to get a properly installed rEFInd.

Boot to macOS. In this case, I choose Catalina.

Use the Disk Utility application to erase the volume with rEFInd label. The name REFIND and format MS-DOS (FAT) were selected. Afterwards, the output from the command diskutil list appeared as shown below.

/dev/disk0 (internal):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                         251.0 GB   disk0
   1:                        EFI EFI                     314.6 MB   disk0s1
   2:                 Apple_APFS Container disk1         200.0 GB   disk0s2
   3:       Microsoft Basic Data BOOTCAMP                40.6 GB    disk0s3
   4:       Microsoft Basic Data REFIND                  103.8 MB   disk0s4

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +200.0 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Anchovy                 11.4 GB    disk1s1
   2:                APFS Volume Anchovy - Data          31.3 GB    disk1s2
   3:                APFS Volume Preboot                 133.7 MB   disk1s3
   4:                APFS Volume Recovery                1.0 GB     disk1s4
   5:                APFS Volume VM                      2.1 GB     disk1s5
   6:                APFS Volume Halibut2                136.4 GB   disk1s7

Download rEFInd from this website to my Downloads folder. I downloaded version 0.12.0.

Enter the following commands in a Terminal application window to install rEFInd to the REFIND volume.

Note: Copying and pasting these commands may be easier than typing in by hand.

cd ~/Downloads/refind-bin-0.12.0
xattr -rd com.apple.quarantine .
sed -i '' "s/sed -i 's/sed -i '' 's/g" refind-install
diskutil unmount disk0s4
sudo ./refind-install --usedefault /dev/disk0s4
diskutil unmount disk0s4
diskutil mount disk0s4
sudo rmdir /tmp/refind_install

The above sed command fixes a bug in the refind-install script which causes the script to terminate early with the error message sed: -i may not be used with stdin. If you enter this command more than once, only the first entry will change the script.

The above commands produced the following output.

davidanderson@Anchovy ~ % cd ~/Downloads/refind-bin-0.12.0
davidanderson@Anchovy refind-bin-0.12.0 % xattr -rd com.apple.quarantine .
davidanderson@Anchovy refind-bin-0.12.0 % sed -i '' "s/sed -i 's/sed -i '' 's/g" refind-install
davidanderson@Anchovy refind-bin-0.12.0 % diskutil unmount disk0s4
Volume REFIND on disk0s4 unmounted
davidanderson@Anchovy refind-bin-0.12.0 % sudo ./refind-install --usedefault /dev/disk0s4
Password:
ShimSource is none
Installing rEFInd on macOS....
Installing rEFInd to the partition mounted at /tmp/refind_install
Copied rEFInd binary files

Copying sample configuration file as refind.conf; edit this file to configure
rEFInd.

davidanderson@Anchovy refind-bin-0.12.0 % diskutil unmount disk0s4
Volume REFIND on disk0s4 unmounted
davidanderson@Anchovy refind-bin-0.12.0 % diskutil mount disk0s4
        Volume REFIND on disk0s4 mounted
davidanderson@Anchovy refind-bin-0.12.0 % sudo rmdir /tmp/refind_install

Note: The version 0.12.0 of the refind-install script contains an exit command which causes the script to terminate early without making rEFInd the default at startup. This allows the script to be executed without disabling SIP. The procedure for making rEFInd the default at startup is given in a later step.

Enter the following command to changed the label in the Mac Startup Manager for rEFInd from EFI Boot to rEFInd.
```
bless --folder /Volumes/REFIND/EFI/BOOT --label rEFInd
```
Restart the mac and immediately hold down the option key until the Mac Startup Manager icons appeared. To make rEFInd the default at startup, hold down the control key while selecting rEFInd.

After these changes, the Mac correctly boots to rEFInd at startup.

Note: I did not need to disable SIP or boot to MacOS Recovery to install rEFInd. You may wish to do either or both as described in Roderick W. Smith's webpage The rEFInd Boot Manager: rEFInd and System Integrity Protection.

Configuring rEFInd

Below is an cropped image of what was displayed by rEFInd.

Note: I noticed that selecting macOS from rEFInd can result in the Mac booting to a white screen. To recover, the Mac needs to be turned off and restarted while holding down the option key to request the Mac Startup Manager. After booting macOS from the Mac Startup Manager, this issue with rEFInd appeared to vanish.

This default arrangement also has the following deficiencies.

The two middle icons on the top row, which are shown below, have the same Boot macOS from Preboot label. There is no indication which is for Mojave or Catalina. Also, rEFInd is suppose to highlight the previous choice when first displaying the icons. This does not happen when the second icon shown below is selected.
The last icon on the top row, which is shown below, has the label Boot Windows (Legacy) from NTFS volume. When selected, rEFInd will instruct the firmware to BIOS boot Windows 10. Since all Macs with a T2 chip cannot BIOS boot, clearly this choice is invalid and needs to be eliminated.
Two of the icons on the bottom row, which are shown below, have the same Start Apple Recovery on Recovery label. There is no indication which is for Mojave or Catalina.
UUID's can not be used to specify APFS volumes in the refind.conf file. Also, the APFS volume labels are not recognized by the dont_scan_dirs option.

Below outlines additions made to the refind.conf file to remedy the above and other possible deficiencies. This file can be found in the EFI/BOOT folder on the REFIND volume. The additions need be placed at the end of this file.

Reduce the changes of a label (name) conflict. By default, a bootable APFS containers have two hidden volumes with the labels "Preboot" and "Recovery". If a external drive with a bootable APFS container was plugged in to the Mac, then the duplicate labels could cause a conflict. To help prevent this from occurring, these labels need to be made more unique. In this case, the "Preboot" and "Recovery" labels will be changed to "Internal Preboot" and "Internal Recovery", respectively. For my Mac, the commands to rename these volumes is given below. These commands need to entered in a Terminal application window.
```
 diskutil mount disk1s3
 diskutil rename disk1s3 "Internal Preboot"
 diskutil unmount disk1s3
 diskutil mount disk1s4
 diskutil rename disk1s4 "Internal Recovery"
 diskutil unmount disk1s4
```
Add the following line to the end of the refind.conf file. This option causes rEFInd to store rEFInd specific variables in the EFI/BOOT/vars folder of the REFIND volume instead of NVRAM. This is done to avoid possible wear on the NVRAM,
```
 use_nvram false
```
Add the following line to the end of the refind.conf file to set the System Integrity Protect (SIP) values to enable and disable. This file can be found in the EFI/BOOT folder on the REFIND volume.
```
 csr_values 10,77
```
Add the following line to the end of the refind.conf file to set which tool icons to appear on the rEFInd display.
```
 showtools shell,gdisk,csr_rotate,memtest,apple_recovery,windows_recovery,about,hidden_tags,reboot,shutdown,exit
```
Even though specified, the follows tools icons will not appear for the following reasons.

shell: No shellx64.efi file exists in in the EFI/tools folder. See the Installing Additional Components section of the Installing rEFInd page for pointers to acquiring this file. This file did work on my 2018 mac mini.

gdisk: No gdiskx64.efi file exists in the EFI/tools folder. See the Installing Additional Components section of the Installing rEFInd page for pointers to acquiring this file. This file did not work on my 2018 mac mini.

memtest: No file exists in an acceptable folder. See the Installing Additional Components section of the Installing rEFInd page for pointers to acquiring this file. No file was ever tested on my 2018 mac mini.

apple_recovery: The two macOS Recovery boot files were skipped because two dont_scan_tools options were placed in the refind.conf file.

windows_recovery: The Boot Camp Assistant installed the Windows Recovery Environment (WRE) files inside the BOOTCAMP volume. No WRE partition was created, therefore rEFInd has no volume to scan.
Adding following option to the end of the refind.conf file will instruct rEFInd to not search for BIOS boot loaders.
```
 scanfor internal,external,optical,manual
```

Replace any automatically created menu entries for Mojave and Catalina with manual entries. First, commands need to executed to determine the UUID for the Catalina APFS volume and Mojave APFS volume. For my Mac, the following commands were entered in a macOS Terminal application window. You will need to make the appropriate substitutions for the identifiers and resulting UUIDs.

 diskutil info disk1s1 | grep "Partition UUID"
 diskutil info disk1s7 | grep "Partition UUID"

For my Mac, the output from these commands is summarized below.

  Name (Label)       Type      Identifier             Partition UUID
 ---------------  -----------  ----------  ------------------------------------
 Anchovy          APFS Volume  disk1s1     315F6481-E157-4528-B2FE-170370370394
 Halibut2         APFS Volume  disk1s7     56F74AC8-0BD4-4086-952E-7038EC7FCFE4

Based on the above UUIDs, the following lines were be added to the end of the refind.conf file.

 dont_scan_files +,"Internal Preboot:\56F74AC8-0BD4-4086-952E-7038EC7FCFE4\System\Library\CoreServices\boot.efi"
 dont_scan_files +,"Internal Preboot:\315F6481-E157-4528-B2FE-170370370394\System\Library\CoreServices\boot.efi"

 menuentry "Mojave" {
     icon \EFI\BOOT\icons\os_mac.png
     volume "Internal Preboot"
     loader \56F74AC8-0BD4-4086-952E-7038EC7FCFE4\System\Library\CoreServices\boot.efi
     ostype "MacOS"
 }

 menuentry "Catalina" {
     icon \EFI\BOOT\icons\os_mac.png
     volume "Internal Preboot"
     loader \315F6481-E157-4528-B2FE-170370370394\System\Library\CoreServices\boot.efi
     ostype "MacOS"
 }

Prevent rEFInd from scanning the EFI volume for Windows boot files and create a manual entry for Windows. First, a command needs to executed to determine the UUID for the EFI volume. For my Mac, the following command was entered in a macOS Terminal application window. You will need to make the appropriate substitutions for the identifier and resulting UUID.

 diskutil info disk0s1 | grep "Partition UUID"

For my Mac, the output from this command is summarized below.

  Name (Label)       Type      Identifier             Partition UUID
 ---------------  -----------  ----------  ------------------------------------
 EFI              EFI          disk0s1     D118DCAC-1F89-4B1B-94AF-D078CB3FBA31

Based on the above UUID, the following lines were be added to the end of the refind.conf file.

 dont_scan_dirs +,D118DCAC-1F89-4B1B-94AF-D078CB3FBA31:/EFI/Boot
 dont_scan_dirs +,D118DCAC-1F89-4B1B-94AF-D078CB3FBA31:/EFI/Microsoft/Boot

 menuentry Windows {
     icon \EFI\BOOT\icons\os_win8.png
     volume "D118DCAC-1F89-4B1B-94AF-D078CB3FBA31"
     loader /EFI/Microsoft/Boot/bootmgfw.efi 
     ostype "Windows"
 }

Replace any automatically created menu entries for Mojave and Catalina macOS Recovery with manual entries. Here, the previous determined UUIDs can be use. You will need to make the appropriate substitutions for the identifiers and resulting UUIDs. Based on the UUIDs, the following lines were be added to the end of the refind.conf file.

 dont_scan_tools +,"Internal Recovery:\56F74AC8-0BD4-4086-952E-7038EC7FCFE4\boot.efi"
 dont_scan_tools +,"Internal Recovery:\315F6481-E157-4528-B2FE-170370370394\boot.efi"

 menuentry "Mojave" {
     icon \EFI\BOOT\icons\tool_rescue.png
     volume "Internal Recovery"
     loader \56F74AC8-0BD4-4086-952E-7038EC7FCFE4\boot.efi
     ostype "MacOS"
 }

 menuentry "Catalina" {
     icon \EFI\BOOT\icons\tool_rescue.png
     volume "Internal Recovery"
     loader \315F6481-E157-4528-B2FE-170370370394\boot.efi
     ostype "MacOS"
 }

Note: The icon file tool_rescue.png was chosen instead of tool_apple_rescue.png because the former has a size of 128 x 128 pixels and the latter has a size of only 48 x 48 pixels.

Below is a entire copy of the lines added to the end of the refind.conf file.

    use_nvram false
    csr_values 10,77
    showtools shell,gdisk,csr_rotate,memtest,apple_recovery,windows_recovery,about,hidden_tags,reboot,shutdown,exit
    scanfor internal,external,optical,manual

    dont_scan_files +,"Internal Preboot:\56F74AC8-0BD4-4086-952E-7038EC7FCFE4\System\Library\CoreServices\boot.efi"
    dont_scan_files +,"Internal Preboot:\315F6481-E157-4528-B2FE-170370370394\System\Library\CoreServices\boot.efi"
    
    menuentry "Mojave" {
        icon \EFI\BOOT\icons\os_mac.png
        volume "Internal Preboot"
        loader \56F74AC8-0BD4-4086-952E-7038EC7FCFE4\System\Library\CoreServices\boot.efi
        ostype "MacOS"
    }
    
    menuentry "Catalina" {
        icon \EFI\BOOT\icons\os_mac.png
        volume "Internal Preboot"
        loader \315F6481-E157-4528-B2FE-170370370394\System\Library\CoreServices\boot.efi
        ostype "MacOS"
    }

    dont_scan_dirs +,D118DCAC-1F89-4B1B-94AF-D078CB3FBA31:/EFI/Boot
    dont_scan_dirs +,D118DCAC-1F89-4B1B-94AF-D078CB3FBA31:/EFI/Microsoft/Boot
    
    menuentry Windows {
        icon \EFI\BOOT\icons\os_win8.png
        volume "D118DCAC-1F89-4B1B-94AF-D078CB3FBA31"
        loader /EFI/Microsoft/Boot/bootmgfw.efi 
        ostype "Windows"
    }

    dont_scan_tools +,"Internal Recovery:\56F74AC8-0BD4-4086-952E-7038EC7FCFE4\boot.efi"
    dont_scan_tools +,"Internal Recovery:\315F6481-E157-4528-B2FE-170370370394\boot.efi"

    menuentry "Mojave" {
        icon \EFI\BOOT\icons\tool_rescue.png
        volume "Internal Recovery"
        loader \56F74AC8-0BD4-4086-952E-7038EC7FCFE4\boot.efi
        ostype "MacOS"
    }
    
    menuentry "Catalina" {
        icon \EFI\BOOT\icons\tool_rescue.png
        volume "Internal Recovery"
        loader \315F6481-E157-4528-B2FE-170370370394\boot.efi
        ostype "MacOS"
    }

Below is an cropped image of what was displayed by rEFInd after adding the above lines.

The label for each icon is given below.

Boot Mojave from Internal Preboot
Boot Catalina from Internal Preboot
Boot Windows from EFI
Boot Mojave from Internal Recovery
Boot Catalina from Internal Recovery
Change SIP Policy
About rEFInd
Manage Hidden Tags Menu
Reboot Computer
Shutdown Computer
Exit rEFInd

Other Thoughts

The options could be simplified. First, a command needs to executed to determine the UUID for the APFS container. For my Mac, the following command was entered in a macOS Terminal application window. You will need to make the appropriate substitutions for the identifier and resulting UUID.

 diskutil info disk0s2 | grep "Partition UUID"

For my Mac, the output from this command is summarized below.

  Name (Label)       Type      Identifier             Partition UUID
 ---------------  -----------  ----------  ------------------------------------
 Container disk1  Apple_APFS   disk0s2     70DDFAEC-71CC-4A0F-8156-E0BEB9BAB69E

Next, the options

 dont_scan_files +,"Internal Preboot:\56F74AC8-0BD4-4086-952E-7038EC7FCFE4\System\Library\CoreServices\boot.efi"
 dont_scan_files +,"Internal Preboot:\315F6481-E157-4528-B2FE-170370370394\System\Library\CoreServices\boot.efi"
 dont_scan_tools +,"Internal Recovery:\56F74AC8-0BD4-4086-952E-7038EC7FCFE4\boot.efi"
 dont_scan_tools +,"Internal Recovery:\315F6481-E157-4528-B2FE-170370370394\boot.efi"

can be replace by the single option

 dont_scan_volumes 70DDFAEC-71CC-4A0F-8156-E0BEB9BAB69E

without changing the result. Basically, the change causes rEFInd to omit a search of the entire APFS container. This may result in a fast boot time to the rEFInd display.

The above could be improved on by replacing the options

 scanfor internal,external,optical,manual
 dont_scan_files +,"Internal Preboot:\56F74AC8-0BD4-4086-952E-7038EC7FCFE4\System\Library\CoreServices\boot.efi"
 dont_scan_files +,"Internal Preboot:\315F6481-E157-4528-B2FE-170370370394\System\Library\CoreServices\boot.efi"
 dont_scan_dirs +,D118DCAC-1F89-4B1B-94AF-D078CB3FBA31:/EFI/Boot
 dont_scan_dirs +,D118DCAC-1F89-4B1B-94AF-D078CB3FBA31:/EFI/Microsoft/Boot
 dont_scan_tools +,"Internal Recovery:\56F74AC8-0BD4-4086-952E-7038EC7FCFE4\boot.efi"
 dont_scan_tools +,"Internal Recovery:\315F6481-E157-4528-B2FE-170370370394\boot.efi"

with the single option

 scanfor external,optical,manual

which also would not change the result. Basically, this change causes rEFInd to omit a search of the entire internal drive. This may result in an even faster boot time to the rEFInd display.

The rEFInd Boot Manager can also be installed to an ExFAT volume. Currently, refind-install will not permit this, so you would have to do a manual install. I verified installing rEFInd to a ExFAT volume does work, except I needed to rename tool_rescue.png to rescue.png. In other words, rEFInd will not accept long file names for the icon option when installed to an ExFAT volume.
Installing rEFInd to a FAT volume is a security risk. Since no password (or other security means) is required to access the volume where rEFInd is installed, malicious software could change the rEFInd files. One way to help prevent this from happening would be to change the partition type to EFI. This can be done in Windows by using the gdisk or diskpart command and in Linux by using the gdisk command. The gdisk or gpt command can be used in macOS, but this may require disabling SIP and/or booting to macOS Recovery. Note: After rEFInd is installed, SIP can be disabled by rEFInd, thus avoiding the need to boot to macOS Recovery. You can enable SIP from macOS by entering the command sudo csrutil clear.

Best Answer

Recreating the Problem

Fixing the Problem

Configuring rEFInd

Other Thoughts

Related Solutions

How to boot Linux from Mac using rEFInd

MacOS – EFI Partition seems to have been replaced, can still boot with rEFInd but need to repair EFI Partition

Related Question