By gosmond


2019-03-09 03:05:30 8 Comments

Preamble

5 or 10 years ago it was common for power users to create their own customized OS X 10.7/10.8/10.9 boot CDs and DVDs using third-party utilities like "BootCD." With the decline of CD/DVD burning in recent years, I haven't found any current info on the web about making customized, bootable, read-only macOS 10.14 Mojave volumes.

Note: I am NOT looking for instructions on how to create the standard bootable macOS Mojave Installer. (The how-tos for this are already widely known & published.)

Bounty requirements

  • Detailed instructions to create a fully-operational and customizable macOS Mojave 10.14 boot volume on a read-only hard drive or USB stick. (There are specialized USB thumb drives which have true firmware-enforced read-only operational modes available.)

  • After booting up, one must be be able to log in normally, use the Finder normally, and launch basic apps like TextEdit, a 3rd-party hard drive recovery tool, or other fairly low-footprint / low-requirements apps which can be coaxed to run normally in a read-only boot environment. (e.g. by pointing their config/cache/log directories to a separate writable volume.) I do not expect to be able launch & run things like "Microsoft Powerpoint", "Adobe Creative Suite," or other large, complex packages.

  • Solution does not require network access. (No ethernet/wifi/bluetooth.) However, it must support USB/lighting-port connectivity for external storage devices.

Additional conditions

  • There is no disk space restriction. The customized boot volume can be as large necessary to get the job done.

  • It is acceptable to use preparatory & passive 3rd party software tools as part of the pre-deployment boot-volume setup process, including freeware, shareware, or commercially-licensed tools, for example Carbon Copy Cloner, BootCD, etc. (That is to say, to help create the .dmg or .iso-type file which will later be 'burned' to a DVD or (in my case) copied to a read-only USB thumb drive.)

  • It is also acceptable to use 3rd party active tools (i.e. non-Apple software) which are wrapped into the final read-only boot volume configuration, and loaded/executed every time the custom read-only volume is booted, but only if the 3rd party tools do not interfere with native macOS 10.14 binary executables that interrogate the hardware and/or firmware directly. (To clarify: the results of running such executables under a hypervisor or VM-wrapped boot solution must be bit-for-bit identical with the results generated by running the same utilities in a normal, natively-booted, read-write macOS 10.14 environment) For example:

    /usr/libexec/firmwarecheckers/eficheck/eficheck --show-hashes

    /usr/sbin/system_profiler

Optional additional features (not required to claim bounty)

  • A writable temporary RAM-based storage volume of a few GB in size mounted & visible on the Desktop, to which one can save documents, or use as a cache working directory for apps which may require writable disk space in order to function. (But not strictly necessary: one could accomplish this by using a 2nd, separate writable USB or hard disk drive.)

  • It is acceptable to disable SIP (system integrity protection) in order to boot from a specially-modified read-only macOS Mojave volume, but it'd be preferable to leave SIP enabled.

  • Ideally the solution will work on both T2-equipped Macs and non-T2 Macs.

  • It is acceptable if the solution involves manually customizing (e.g. "hacking") the normal macOS Mojave Install.app / bootable installer image so that it boots all the way to the Finder/Desktop, instead of stopping at the macOS Install / Disk Utility / Terminal access screen as it normally does.

  • Would prefer (but do not require) that the solution includes a wide array of hardware drivers (e.g. video displays, etc.) so that a single bootable read-only volume can boot up as many recent-vintage types of Macs as possible. (~2015 or later, roughly speaking.) MacBook Pros, iMacs, Mac Minis, etc. With this preference in mind, using the macOS Mojave Install.app as starting point may be useful. It includes within it a wide variety of drivers so that it can boot on many kinds of Macs.

Summary of attempts to date

In my testing so far, I have tried using Carbon Copy Cloner to clone my normal everyday-usage macOS 10.14.3 (18D109) boot drive to my special configurable Read/Write + Read/Only USB thumb drive.

  • In normal R/W mode the USB stick boots as expected, all the way to the Desktop/Finder, with expected functionality. (It works the same as booting from the normal read-write internal SSD storage.)

  • However, when I set the USB stick to R/O (read-only), the same macOS 10.14.3 (18D109) config starts to boot, but about 10% of the way through the boot progress bar (before any user-login prompt appears,) the Mac (a 2018 MacBook Pro) just powers off with no warning. In Verbose boot mode the text messages scroll too fast to read before power-off. If need be I can attempt to capture these via photo or video in order to share them here.

Additional background

  • I seek read-only booting for security purposes on untrusted hardware. I want to be able to boot up & run (for instance) firmware-interrogation tools without fear of anything on the boot volume being altered by firmware-residing malware. I also want to be able to run (for instance) cryptocurrency wallet software, again with assurance that firmware-resident or hardware-transported malware cannot alter anything on the boot volume. (For example "badUSB" malware, Lightning port malware, etc.)

  • I have looked into using a Linux-based read-only operating system and will fall back to Linux if necessary, but I would rather use macOS so that I can use Apple-developed standard firmware interrogation tools, and a variety of macOS-specific utility / cryptocurrency apps.

  • For those who question whether there are truly "read-only" USB thumb drives: They are out there. Without naming specific vendors, these are FIPS140 level 2- or 3-certified hardware-encrypted solutions with customized and write-locked firmware. (Not vulnerable to badUSB-type attacks.) Some of them have physical on-device keypads for configuration & entry of PIN unlock codes, and the ability to authoritatively switch the device between normal read-write and 'hard' (firmware-enforced) read-only modes.

0 comments

Related Questions

Sponsored Content

0 Answered Questions

0 Answered Questions

4 Answered Questions

1 Answered Questions

[SOLVED] Reinstall macOS Mojave on MacBook Pro with Windows installed

0 Answered Questions

2 Answered Questions

[SOLVED] Can't open some ePub books in Books.app on macOS Mojave

  • 2019-01-20 19:14:33
  • SPRBRN
  • 255 View
  • 2 Score
  • 2 Answer
  • Tags:   mojave books epub

1 Answered Questions

[SOLVED] Can't boot to Mac OS volume after Bootcamp Windows install

0 Answered Questions

Update MacbookAIR Firmware without original hard disk

1 Answered Questions

0 Answered Questions

Dock never autohides on macOS Mojave 10.14

Sponsored Content