Asahi Linux Installation – Security Features Explained

dual-bootSecuritystartup

When I install a second instance of MacOS (say I am experimenting with a beta or something), I just create a new APFS partition and install MacOS in that partition.

The MacBook bootloader seems to know there is another OS on that partition and displays the options to boot from it.

When installing Asahi Linux, I run a script that partitions my drive, but I also have to place the MacBook into "permissive" security mode via recovery to complete the installation.

What is permissive mode?

Why must the MBP be placed into permissive mode?

Does this put your MBP at significant risk and how would you sell this to a company's security team?

Best Answer

I also have to place the MacBook into "permissive" security mode via recovery to complete the installation.

This is a misconception. You are not placing the MacBook into "permissive" security mode. You are placing the Asahi Linux install into permissive mode.

Apple Silicon Macs implement a unique secure boot mechanism that is unlike other personal computing devices. Typically devices are either wide open, locked down to manufacturer-approved software only, or can be toggled between those states through some (sometimes more, sometimes less secure) mechanism. Apple Silicon machines instead implement the security mode separately for each installed OS as part of a framework called Boot Policy, and this is what the available security modes mean:

Full security: Will only boot Apple-approved OSes, and installation requires phoning home to Apple (which allows them to revoke old vulnerable software versions from being installed again)
Reduced security: Will only boot Apple-approved OSes, but any such OS ever released can be installed without any phoning home.
Permissive security: Will only boot User-approved OSes, where approval requires physical presence and authentication. Secure Boot is still enabled, but now it is you who chooses what to authorize, not Apple.

Due to the way the mechanism is designed, new OSes must first be installed in Full security (from macOS) or Reduced security (from an existing recoveryOS) mode before being downgraded to Permissive security later. This must be done from a strictly controlled recoveryOS instance, and there are many requirements:

It must be an Apple-signed recoveryOS
It must be the same version (from the point of view of the machine) as the OS being downgraded
It must be an instance installed with and paired with the OS being downgraded
It must have been launched by a very specific procedure, involving holding down the power button from a cold shutdown state to prove user presence
The user must enter their credentials, which must have been authorized as a machine owner (typically an admin user of an existing macOS install).

At that point, security of that specific OS can be downgraded, and the actual custom OS bootloader can be installed. This process locally signs the new OS bootloader with a cryptographic signature, so replacing it can only be done by following this process again. This gives you the ability to have a fully user-controlled, securely booted, third-party OS. Of course, such third party OSes need to implement a full secure boot chain for this to be as secure as macOS (Asahi Linux does not yet, but it's been planned from day one and will at some point).

The Asahi Linux install process is, essentially, this:

Create a new APFS container
Install a "stub" macOS (downloaded directly from Apple's CDN), of our own chosen version, containing everything but the root filesystem (this includes recoveryOS and all components needed to run it, as well as the iBoot bootloader and OS-paired firmware that cannot be replaced in a third-party OS install)
Install Asahi Linux (EFI/ext4 partitions). This is inert at this point.
Authorize the fresh stub macOS to be bootable on this machine. If you are installing from macOS, this will go through the phone home process behind the scenes and authorize it in Full security mode. If you are installing Asahi Linux directly from a recoveryOS Terminal, it will instead prompt you for login credentials and jump straight to Reduced security mode (which is as low as you can go from an unpaired recoveryOS belonging to the wrong macOS install), avoiding the phone-home step.
Mark the new OS as the default boot option and ask the user to boot into recoveryOS (hold down the power button). This will, implicitly, boot into the fresh recoveryOS instance that was just installed, which is the only environment that can authorize a change to Permissive security for the new OS. The Asahi Linux installer uses a trick to make this more ergonomic for users, so it looks like you are selecting the Asahi Linux install and it goes straight into the setup script instead of you having to pull up a Terminal and launch it manually, but you still have to be in the right recoveryOS (which is what you get by holding down the power button). Note that the "boot picker" that lets you choose an OS is already a running recoveryOS!
Change the security mode for this OS to Permissive security, prompting the user for credentials in the process
Finally, install the Asahi Linux bootloader (which locally signs it and authorizes it to boot on this machine - this is a local process, no phoning home), again prompting for credentials.

At that point you reboot and you're in the new OS.

So how does this affect the security of other OSes on the machine? It doesn't. Your existing macOS install remains at Full Security, with all the privileges that entails (like being able to run iOS apps and watch DRM-protected content). The OS image itself is still signed by Apple and verified at runtime, and cannot be compromised from Linux. User data can be if you have not enabled FileVault (though in practice we don't have support for APFS with transparent encryption anyway, so an attacker would have to develop that first!). If you have, then the most the third-party OS can do is just destroy/corrupt your data, not extract or compromise it.

Enabling FileVault also has one additional benefit in that it forces recoveryOS to prompt you for credentials upfront, which means you cannot use that environment to break into your machine or bypass password login requirements.

So, these machines are designed so you can do this without compromising the security of your main OS. Whether you can successfully sell that to your company's security team, that's a different question :-)

You can find a more detailed description of the Apple Silicon security architecture on the Introduction to Apple Silicon page on the Asahi Linux wiki.

As for your first question:

As you probably have already read from the rEFInd web site, the commands. to make rEFInd appear at startup are given below. You would have to enter these commands after booting to the macOS 10.13.2 recovery partition. You could enter the commands while booted to macOS 10.13.2, but you first would have to disable System Integrity Protection.

diskutil  mount  disk0s1
sudo  bless  --mount  /Volumes/EFI  --setBoot  --file  /Volumes/EFI/EFI/refind/refind_x64.efi  --shortform
diskutil  unmount  disk0s1

If the above does not work, then rEFInd is not installed as you described in your question.

As for your second question:

I an not sure why you are worried if the disk utility can recognize your linux partition. Unless you have installed some third party software, macOS can not read linux formatted partitions. Your question gives no indication that you have install such software. Anyway, the output from the diskutil list command shows that the linux partition is being correctly recognized.

If the files on the linux partition are important, then I would think the first priority would be to remove the files from the internal disk. This could be done by creating a a Ubuntu bootable flash drive and boot to a Live version of Ubuntu. If you can access your files, then I would copy the files to a second backup flash drive or other external drive.

Just to let you know:

If you do decide to start over, I would suggest installing the operating systems in the following order.

Install macOS
Use the Boot Camp Assistant to install Windows.
Install Ubuntu using the instructions given here.
(Optional) Install rEFInd.

What would be the cleanest method of converting the APFS macOS partition back to HFS+

Once you formatted an HDD as an APFS volume it is not easy to get back to HFS+. I made the experience when I formatted an external 10 TB backup disk as APFS just to decide that maybe HFS+ would be better for my usage scenario. When I tried to reformat the HDD, the HFS+ version was gone from diskutil. I had to erase the complete volume structure and as soon as I did this, I was able to format as HFS+.

So I guess you will have to go through this too.

Full backup (time machine, carbon copy, ...)
Following my experience I would say to completely erase the volume structure of your internal HDD, through target disk mode or while booted into the recovery partition of an external USB drive.
Reinstall
Restore

Good luck!

With other words: I would say there is no way of avoiding a complete erase and reconfiguration of the whole volume structure + reinstall.

The “too many corpses” hinds at a corruption of your account/machine setting. If it is the user account you could try to create a new user:

Start with ⌘-S
Check the startup disk:/sbin/fsck -fy
Mount the startup disk using: /sbin/mount -uw /
Remove the setup complete flag using: rm /var/db/.AppleSetupDone
Install macOS and create a new user.
Copy your data to the new user.

If it is a machine setting related problem: erase, etc..

Best Answer

Related Solutions

Triple Boot Mac – Solving Boot Load Issues with Mac, Windows, and Linux

As for your first question:

As for your second question:

Just to let you know:

What would be the cleanest method of converting the APFS macOS partition back to HFS+

Related Question