A Couple of Questions Regarding the Full Security Secure Boot mode on Apple Silicon Macs

[Yebubbleman]

Similar to a question I posted in the macOS forums (primarily because there isn't a section in the forums for T2 Macs the way that there is for Apple Silicon Macs), I know that Apple Silicon Macs, similar to, but still unlike T2 based Intel Macs, have Secure Boot settings that apply on a per OS install basis (rather than a T2 Mac's system-wide basis). What I don't know is this:

Does having my current/original/default/only installation of macOS on Full Security necessarily stop me from creating any second OS installation that is earlier than the current release and/or no longer signed by Apple with Reduced Security? Do I need to do anything special for that? Or is it merely a matter of creating a new APFS partition/container and then modifying the security settings of it before booting to whichever installer of whichever older macOS release I want to install?

 

[Krevnik]

There aren’t great answers here, in part because Apple themselves are still working through this. 11.4 changed some of the rules around booting to better support creating OS installs that require the reduced security mode. Prior to 11.4, you couldn’t run older installers, for example. So it’s clear that the goal and the reality aren’t fully aligned right now, because of how new per-install boot policies are.

The bit that is well-known is that different installs can indeed use different security levels. The policy for a given install is recorded on a partition that the pre-boot environment uses, and is stored on the internal SSD. When the pre-boot environment goes to boot macOS from a partition, it checks that copy of macOS against the local policy, only booting if it is valid. So it’s completely possible to have a Full Security primary install and a Reduced Security secondary install, as each policy is validated separately by the pre-boot environment. What I don’t know is the process for setting the local policy, especially because of bugs like what I mention above.

A good resource for details on the boot process as of 11.4 and how the security model actually works in practice: https://eclecticlight.co/2021/06/02...al-disks-and-local-boot-policy-in-macos-11-4/

 

[haralds]

There are a couple of other issues:
1. MacOS will not allow installing a version lower than the one installed. You would have to try to install from a USB stick.
2. It used to be possible to have multiple installs in different Volume Groups in one container. I have tried that and it does not work any longer. You would have to set up separate partitions.
I use to have a multi-boot on my M1 but gave up on it. It just took too much time to keep it running. I even stopped it on my T2 Intel MacBook Pro. I now keep VMs for older revs.