MacOS Catalina has a dedicated system volume now

SoyCapitanSoyCapitan · Jun 8, 2019

This and kext changes are good news. These things will make Hacks hard or impossible. I like the enthusiasm that Hackintosh builders have for Macs but I don't think Hackintosh should be allowed. It hurts the engineers at the end of the day and adds a small but relevant amount of costs on real Mac users.

stiligFox · Jun 8, 2019

SoyCapitanSoyCapitan said:
This and kext changes are good news. These things will make Hacks hard or impossible. I like the enthusiasm that Hackintosh builders have for Macs but I don't think Hackintosh should be allowed. It hurts the engineers at the end of the day and adds a small but relevant amount of costs on real Mac users.

Actually it hasn’t really affected hackintosh’s much at all as far as I can tell - people were up and running the beta the very same day it was released.

On the other hand it’s completely broken my being able to use my old MadCatz mouse with my MacBook Air, since the installer refuses to load everything because it can no longer write the kext to the System folder. It would be trivial to move it to the new location but there’s other things to be installed that are failing. And MadCatz has said they will not write new drivers.

So it’s a good thing for most day to day real-Mac users, I suppose, as it keeps those machines far more secure; but it’s not a perfect solution as it breaks older things. And it doesn’t really stop hackintoshes at all.

haralds · Jun 8, 2019

stiligFox said:
Actually it hasn’t really affected hackintosh’s much at all as far as I can tell - people were up and running the beta the very same day it was released.

On the other hand it’s completely broken my being able to use my old MadCatz mouse with my MacBook Air, since the installer refuses to load everything because it can no longer write the kext to the System folder. It would be trivial to move it to the new location but there’s other things to be installed that are failing. And MadCatz has said they will not write new drivers.

So it’s a good thing for most day to day real-Mac users, I suppose, as it keeps those machines far more secure; but it’s not a perfect solution as it breaks older things. And it doesn’t really stop hackintoshes at all.

You could try using Pacificist to take the installer apart and manually move the components into place.

SoyCapitanSoyCapitan · Jun 8, 2019

stiligFox said:
Actually it hasn’t really affected hackintosh’s much at all as far as I can tell - people were up and running the beta the very same day it was released.

On the other hand it’s completely broken my being able to use my old MadCatz mouse with my MacBook Air, since the installer refuses to load everything because it can no longer write the kext to the System folder. It would be trivial to move it to the new location but there’s other things to be installed that are failing. And MadCatz has said they will not write new drivers.

So it’s a good thing for most day to day real-Mac users, I suppose, as it keeps those machines far more secure; but it’s not a perfect solution as it breaks older things. And it doesn’t really stop hackintoshes at all.

I’ve read that patching kexts will be dead by end of the year. That’s good because most people who install these things don’t read the code to see if there is some malware inserted there or even just a security hole.

eltoslightfoot · Jun 8, 2019

Fishrrman said:
Hmmmm..... lemmmmeeeesssseeee here....

Since back to my earliest days of Mac'ing (late 80's), I've partitioned my drives so that the "System files" resided in their own partition.

I've ALWAYS kept my data on a separate volume (partition).
This made it fast and easy to backup my data, and if anything went wrong with the "system partition", the data partition was usually still fine.

And for years others told me what I was doing was unnecessary.

Well, well, well...!
Looks like Apple itself has finally come around to "my way of doing it".
That is -- segregate the OS files into their own "space".
Call it "a partition", or call it "a container", or call it whatever you like ("a rose by any other name...")
That's what they're doing.

Who had it right...?

This was always the way I did it in the Linux and Unix world.
[doublepost=1560012008][/doublepost]

SoyCapitanSoyCapitan said:
I’ve read that patching kexts will be dead by end of the year. That’s good because most people who install these things don’t read the code to see if there is some malware inserted there or even just a security hole.

Hackintoshing isn't the only reason to patch kexts. My bet is that there will always be a way to do it.

SoyCapitanSoyCapitan · Jun 8, 2019

eltoslightfoot said:
This was always the way I did it in the Linux and Unix world.
[doublepost=1560012008][/doublepost]
Hackintoshing isn't the only reason to patch kexts. My bet is that there will always be a way to do it.

For a while maybe. Always, no. Windows also is this hidden system volume thing now. In the future the base of the system will be installed locally and the higher functioning stuff exposed to the user (drivers, GUI etc) will load from the cloud. This will make fixing bugs very quick. You won’t need to wait weeks or months for a 2GB OS update. They can fix small bugs in the cloud within days.

stiligFox · Jun 8, 2019

SoyCapitanSoyCapitan said:
I’ve read that patching kexts will be dead by end of the year. That’s good because most people who install these things don’t read the code to see if there is some malware inserted there or even just a security hole.

As long as you can disable SIP (which you still can) you’ll be able to, I believe. I couldn’t load the kext initially because it’s certificate expired last year, but disabling SIP allowed me to open and run it as usual.

Now that removes the security of SIP of course, but that returns the normal freedoms to mess with stuff as you wish. Disabling SIP even allows me to write to the new System volume.
[doublepost=1560017844][/doublepost]

haralds said:
You could try using Pacificist to take the installer apart and manually move the components into place.

Thanks! I did try that, and using it and some terminal commands I did finally get the kext installed and got it to load, but then the helper app won’t load, so still stuck at square one

[doublepost=1560017976][/doublepost]

eltoslightfoot said:
Hackintoshing isn't the only reason to patch kexts. My bet is that there will always be a way to do it.

Yup, and one way Hackintosh’s load third party kexts is by injecting them in via the boot loader, before anything else loads - they’re installed in the EFI partition so that bypasses a lot of the security bits.

eltoslightfoot · Jun 8, 2019

stiligFox said:
As long as you can disable SIP (which you still can) you’ll be able to, I believe. I couldn’t load the kext initially because it’s certificate expired last year, but disabling SIP allowed me to open and run it as usual.

Now that removes the security of SIP of course, but that returns the normal freedoms to mess with stuff as you wish. Disabling SIP even allows me to write to the new System volume.
[doublepost=1560017844][/doublepost]

Thanks! I did try that, and using it and some terminal commands I did finally get the kext installed and got it to load, but then the helper app won’t load, so still stuck at square one
[doublepost=1560017976][/doublepost]

Yup, and one way Hackintosh’s load third party kexts is by injecting them in via the boot loader, before anything else loads - they’re installed in the EFI partition so that bypasses a lot of the security bits.

Agreed, but that would be the same reason the process is useful for reasons other than hackintoshing. Actually that would be pretty much the only point. Would it not?

stiligFox · Jun 8, 2019

eltoslightfoot said:
Agreed, but that would be the same reason the process is useful for reasons other than hackintoshing. Actually that would be pretty much the only point. Would it not?

Pretty much, yeah! There will always be cases when we want or need to modify our computers in unintended ways to run certain software and utilities.

fisherking · Jun 10, 2019

stiligFox said:
Pretty much, yeah! There will always be cases when we want or need to modify our computers in unintended ways to run certain software and utilities.

i admit i have not read all the posts here, but... can we still disable SIP if we want to modify something in the OS?... thx

TheSkywalker77 · Jun 10, 2019

fisherking said:
i admit i have not read all the posts here, but... can we still disable SIP if we want to modify something in the OS?... thx

I believe so, there was some talk on page one about it.

stiligFox · Jun 10, 2019

fisherking said:
i admit i have not read all the posts here, but... can we still disable SIP if we want to modify something in the OS?... thx

Yup. It could change throughout the betas but I have successfully disabled SIP and have written to the system volume!

weup togo · Jun 11, 2019

weup togo said:
My guess is that the fact it is still editable with SIP disabled is a bug. The benefit is that updates & upgrades become much easier when you have a precisely known set of bits to modify, without having to worry about any sort of alterations behind your back. This is more about simplicity for Apple's deployment of new updates than about security.

This session confirms part of what I guessed above. It sounds like the temporariy editability isn't a bug so much as a temporary workaround for the fact that this will break things, and they couldn't ship the first seed without it.

stiligFox · Jun 11, 2019

weup togo said:
This session confirms part of what I guessed above. It sounds like the temporariy editability isn't a bug so much as a temporary workaround for the fact that this will break things, and they couldn't ship the first seed without it.

Ah ha! At least the read-only status can be changed temporarily; that means any needed changes can be made still. I don’t know anything that requires read AND write permissions all the time for the System folder.

Ed217 · Jun 13, 2019

Given the two partitions, how does one make an Image backup...and then do an image restore?

Most such tools only select a single partition.

stiligFox · Jun 13, 2019

Ed217 said:
Given the two partitions, how does one make an Image backup...and then do an image restore?

Most such tools only select a single partition.

I think it comes down to how APFS works. Keep in mind these are two *volumes* on one *partition*. So it should see the whole thing as one image to restore both volumes.

That’s just my guess though.

Ed217 · Jun 13, 2019

stiligFox said:
I think it comes down to how APFS works. Keep in mind these are two *volumes* on one *partition*. So it should see the whole thing as one image to restore both volumes.

That’s just my guess though.

That part I understand...the question is an image backup only selects a single item. Is this to be the container or the device...or does it matter?

stiligFox · Jun 13, 2019

Ed217 said:
That part I understand...the question is an image backup only selects a single item. Is this to be the container or the device...or does it matter?

I don’t think it’ll matter too much; I currently have two internal drives on my hackintosh and Time Machine backs them both; I’m assuming it’ll work like that, if not even simpler. I imagine Apple has figured out the necessary voodoo to make it seamless(ish).

Most likely if you’re doing a full restore, it’ll restore the entire drive/device as one item.

Another possibility is that Time Machine will simply create a brand new installation of Catalina (since for 99% of the people it’ll be a read only volume that won’t have anything extra on it to be lost) and only restore the Data volume.

toru173 · Jun 13, 2019

When you back up an APFS partition you image the entire container with all its constituent volumes. That way it keeps the APFS group relationship intact, and you can restore in much the same way

Ed217 · Jun 13, 2019

toru173 said:
When you back up an APFS partition you image the entire container with all its constituent volumes. That way it keeps the APFS group relationship intact, and you can restore in much the same way

Will try that approach tomorrow.

leman · Jun 16, 2019

Fishrrman said:
Hmmmm..... lemmmmeeeesssseeee here....

Since back to my earliest days of Mac'ing (late 80's), I've partitioned my drives so that the "System files" resided in their own partition.

I've ALWAYS kept my data on a separate volume (partition).
This made it fast and easy to backup my data, and if anything went wrong with the "system partition", the data partition was usually still fine.

And for years others told me what I was doing was unnecessary.

Well, well, well...!
Looks like Apple itself has finally come around to "my way of doing it".
That is -- segregate the OS files into their own "space".
Call it "a partition", or call it "a container", or call it whatever you like ("a rose by any other name...")
That's what they're doing.

Who had it right...?

I never really saw a clear benefit of putting the user data on a separate partition, because in the end it doesn’t really matter. Of course, unless you are also using two separate physical discs for that or rely heavily on partition images etc.

The way how Apple does it is much more advanced - they mount the system volume read-only and use intricate linking to stitch together the two volumes under the single root. It’s not really something you can easily do yourself.
[doublepost=1560741944][/doublepost]

Shirasaki said:
If MacOS has its own partition and read-only, many BSD or Unix programs might outright break and not work. Unless MacOS has some sort of virtual system folder that program can read/write, I am not sure about the compatibility here.
Based on this info, I am pretty sure Apple is now laying the foundation to ditch intel processor and much of the UNIX thing in the near future.

The way Apple implements this is fully UNIX-compliant and the only software that would break is probably already doing something weird. No Unix tool has any business writing to folders that reside on the read-only partition. Watch the WWDC video.
[doublepost=1560742037][/doublepost]

Ed217 said:
Given the two partitions, how does one make an Image backup...and then do an image restore?

Most such tools only select a single partition.

Catalina supports APFS volume images and some rather nifty things as image diffs/patches etc. Again, check the WWDC video.

redheeler · Jun 18, 2019

Fried Chicken said:
Can I still edit my System Directory if I so choose?

Every time I install MacOS I change the volume clicker back to the one to the true Mac OS X volume clicker.

chabig said:
Apple says it’s read-only. You say it’s writeable. Those statements are at odds. I’m not sure which is more likely correct.

Uh-oh. Guess I spoke too soon regarding DP1... In DP2 it really is a read-only partition.

Hopefully there is a way around this. I've done some MacOS system theming in the past and would not appreciate losing the ability to do so in Catalina.

Ritsuka · Jun 18, 2019

You can make it writable by disabling SIP.

redheeler · Jun 18, 2019

Ritsuka said:
You can make it writable by disabling SIP.

Nope, not in DP2. Already ran csrutil status to confirm it's still disabled.

Shirasaki · Jun 18, 2019

redheeler said:
Nope, not in DP2. Already ran csrutil status to confirm it's still disabled.
View attachment 843602

One more reason to not upgrade to Catalina apparently. MacOS is well on its way to turn into a desktop equivalent of iOS.

MacOS Catalina has a dedicated system volume now

Suspended

macrumors 68000

macrumors 68030

Suspended

macrumors 68030

Suspended

macrumors 68000

macrumors 68030

macrumors 68000

macrumors G4

macrumors 68030

macrumors 68000

macrumors 6502

macrumors 68000

macrumors 6502

macrumors 68000

macrumors 6502

macrumors 68000

macrumors 6502

macrumors 6502

macrumors Core

macrumors G3

Cancelled

macrumors G3

macrumors P6

Our Staff