By gosmond

2019-03-09 03:05:30 8 Comments


5 or 10 years ago it was common for power users to create their own customized OS X 10.7/10.8/10.9 boot CDs and DVDs using third-party utilities like "BootCD." With the decline of CD/DVD burning in recent years, I haven't found any current info on the web about making customized, bootable, read-only macOS 10.14 Mojave volumes.

Note: I am NOT looking for instructions on how to create the standard bootable macOS Mojave Installer. (The how-tos for this are already widely known & published.)

Bounty requirements

  • Detailed instructions to create a fully-operational and customizable macOS Mojave 10.14 boot volume on a read-only hard drive or USB stick. (There are specialized USB thumb drives which have true firmware-enforced read-only operational modes available.)

  • After booting up, one must be be able to log in normally, use the Finder normally, and launch basic apps like TextEdit, a 3rd-party hard drive recovery tool, or other fairly low-footprint / low-requirements apps which can be coaxed to run normally in a read-only boot environment. (e.g. by pointing their config/cache/log directories to a separate writable volume.) I do not expect to be able launch & run things like "Microsoft Powerpoint", "Adobe Creative Suite," or other large, complex packages.

  • Solution does not require network access. (No ethernet/wifi/bluetooth.) However, it must support USB/lighting-port connectivity for external storage devices.

Additional conditions

  • There is no disk space restriction. The customized boot volume can be as large necessary to get the job done.

  • It is acceptable to use preparatory & passive 3rd party software tools as part of the pre-deployment boot-volume setup process, including freeware, shareware, or commercially-licensed tools, for example Carbon Copy Cloner, BootCD, etc. (That is to say, to help create the .dmg or .iso-type file which will later be 'burned' to a DVD or (in my case) copied to a read-only USB thumb drive.)

  • It is also acceptable to use 3rd party active tools (i.e. non-Apple software) which are wrapped into the final read-only boot volume configuration, and loaded/executed every time the custom read-only volume is booted, but only if the 3rd party tools do not interfere with native macOS 10.14 binary executables that interrogate the hardware and/or firmware directly. (To clarify: the results of running such executables under a hypervisor or VM-wrapped boot solution must be bit-for-bit identical with the results generated by running the same utilities in a normal, natively-booted, read-write macOS 10.14 environment) For example:

    /usr/libexec/firmwarecheckers/eficheck/eficheck --show-hashes


Optional additional features (not required to claim bounty)

  • A writable temporary RAM-based storage volume of a few GB in size mounted & visible on the Desktop, to which one can save documents, or use as a cache working directory for apps which may require writable disk space in order to function. (But not strictly necessary: one could accomplish this by using a 2nd, separate writable USB or hard disk drive.)

  • It is acceptable to disable SIP (system integrity protection) in order to boot from a specially-modified read-only macOS Mojave volume, but it'd be preferable to leave SIP enabled.

  • Ideally the solution will work on both T2-equipped Macs and non-T2 Macs.

  • It is acceptable if the solution involves manually customizing (e.g. "hacking") the normal macOS Mojave / bootable installer image so that it boots all the way to the Finder/Desktop, instead of stopping at the macOS Install / Disk Utility / Terminal access screen as it normally does.

  • Would prefer (but do not require) that the solution includes a wide array of hardware drivers (e.g. video displays, etc.) so that a single bootable read-only volume can boot up as many recent-vintage types of Macs as possible. (~2015 or later, roughly speaking.) MacBook Pros, iMacs, Mac Minis, etc. With this preference in mind, using the macOS Mojave as starting point may be useful. It includes within it a wide variety of drivers so that it can boot on many kinds of Macs.

Summary of attempts to date

In my testing so far, I have tried using Carbon Copy Cloner to clone my normal everyday-usage macOS 10.14.3 (18D109) boot drive to my special configurable Read/Write + Read/Only USB thumb drive.

  • In normal R/W mode the USB stick boots as expected, all the way to the Desktop/Finder, with expected functionality. (It works the same as booting from the normal read-write internal SSD storage.)

  • However, when I set the USB stick to R/O (read-only), the same macOS 10.14.3 (18D109) config starts to boot, but about 10% of the way through the boot progress bar (before any user-login prompt appears,) the Mac (a 2018 MacBook Pro) just powers off with no warning. In Verbose boot mode the text messages scroll too fast to read before power-off. If need be I can attempt to capture these via photo or video in order to share them here.

Additional background

  • I seek read-only booting for security purposes on untrusted hardware. I want to be able to boot up & run (for instance) firmware-interrogation tools without fear of anything on the boot volume being altered by firmware-residing malware. I also want to be able to run (for instance) cryptocurrency wallet software, again with assurance that firmware-resident or hardware-transported malware cannot alter anything on the boot volume. (For example "badUSB" malware, Lightning port malware, etc.)

  • I have looked into using a Linux-based read-only operating system and will fall back to Linux if necessary, but I would rather use macOS so that I can use Apple-developed standard firmware interrogation tools, and a variety of macOS-specific utility / cryptocurrency apps.

  • For those who question whether there are truly "read-only" USB thumb drives: They are out there. Without naming specific vendors, these are FIPS140 level 2- or 3-certified hardware-encrypted solutions with customized and write-locked firmware. (Not vulnerable to badUSB-type attacks.) Some of them have physical on-device keypads for configuration & entry of PIN unlock codes, and the ability to authoritatively switch the device between normal read-write and 'hard' (firmware-enforced) read-only modes.


Related Questions

Sponsored Content

0 Answered Questions

0 Answered Questions

4 Answered Questions

1 Answered Questions

[SOLVED] Reinstall macOS Mojave on MacBook Pro with Windows installed

0 Answered Questions

2 Answered Questions

[SOLVED] Can't open some ePub books in on macOS Mojave

  • 2019-01-20 19:14:33
  • 255 View
  • 2 Score
  • 2 Answer
  • Tags:   mojave books epub

1 Answered Questions

[SOLVED] Can't boot to Mac OS volume after Bootcamp Windows install

0 Answered Questions

Update MacbookAIR Firmware without original hard disk

1 Answered Questions

0 Answered Questions

Dock never autohides on macOS Mojave 10.14

Sponsored Content