How Apple’s Startup Security Utility and Secure Boot works

Glenn Fleishman
13 February, 2018
View more articles fromthe author
AAA
Help

With the appearance of the fancy new iMac Pro, Apple has also added some new startup options available exclusively on this model. If you’re a new owner, here’s how the new Startup Security Utility works at providing enhanced protection against people who might gain physical access to your computer.

It’s available only through macOS Recovery, Apple’s current name for the mini-operating system on a separate partition on your startup macOS volume that you can start up from in order to fix problem on your main partition. It’s been a huge help since it was added way back in Lion, and it’s become more advanced and reliable over time.

To launch macOS Recovery, you restart (or startup) your Mac, and hold down Command-R. A window appears on all Macs with a set of options for programs to run or actions to take with additional options in the Utilities menu. On the iMac Pro, you can select Utilities > Startup Security Utility.

Apple has put two special options here that allow you to enhance the physical integrity of your Mac in a way that others Macs lack. (The third is available on all Macs.) This comes through the addition of a separate chip, the T2, which performs a number of component management and security tasks. (Jason Snell details the T2’s functions in a recent column.)

macos high sierra startup security utility

Two of the three options are quick to explain:

  • Firmware Password Protection. This already exists as Utilities > Firmware Password Utility on other Macs. It prevents someone without your firmware password from starting up from a disk other than the currently designated startup volume.
  • External Boot. You can limit whether or not to let your iMac Pro start up from externally connected drives of any kind. Security minded people might prefer this option, as it prevents a malicious party from booting your Mac to try to access, copy, or decrypt material on your internal drive. (The iMac’s internal drive is now deeply integrated with the T2 chip, making it useless if removed without the chip, and the chip can’t be removed.)

The third option, Secure Boot, is the kind of feature that raises the hackles of long-time Mac users, as it can feed the concern that Apple will eventually make Macs as locked-down as iOS in terms of what versions of macOS can run and which apps could thus run on your Mac. However, that concern aside, it’s also a significant security enhancement in an era when we’ve seen exactly how insidious criminal and government-issued malware can be.

In Full Security mode, Secure Boot uses cryptographic verification through digital certificates and signatures to allow only the currently installed version of macOS or a version that Apple marks as currently supported. It also validates effectively that the installed version of macOS hasn’t been tampered with. If that can’t be validated, it will offer to reinstall macOS (but not erase your data) or startup from a different drive, depending on your other settings. (This mode also allows Windows via Boot Camp.)

Medium Security still validates that a legitimate version of macOS (or Windows) is installed, but doesn’t check macOS for signs of modification. With No Security, other operating systems can be installed.

Most of the time, Apple’s security measures affect how vulnerable we are to people who aren’t standing in front of our computers. These two iMac Pro additions are a step up, making it seem like they’re guarding against either a new class of worries to come, or adding features that the company has long itched to put in place as a bulwark—perhaps for folks living and working in repressive countries and at risk of compromise in their own homes and offices.

One Comment

One person was compelled to have their say. We encourage you to do the same..

  1. Damon says:

    Is this simply the Apple implementation of UEFI secure boot, or something different? https://blogs.msdn.microsoft.com/b8/2011/09/22/protecting-the-pre-os-environment-with-uefi/

Leave a Comment

Please keep your comments friendly on the topic.

Contact us