Apple silicon APFS 備份問題

Apple APFS 無法讀取

用 Clonezilla Live 開機之後,以 Partclone.apfs 進行備份,部份APFS磁區會出現失敗。

先觀察 gpt 資料如下

gdisk

Found valid GPT with protective MBR; using GPT.
Disk /dev/nvme0n1: 61279344 sectors, 233.8 GiB
Model: APPLE SSD AP0256Z                       
Sector size (logical/physical): 4096/4096 bytes
Disk identifier (GUID): B2AF6879-DEC6-422B-AE54-B21C581B37EB
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 5
First usable sector is 6, last usable sector is 61279338
Partitions will be aligned on 2-sector boundaries
Total free space is 30543728 sectors (116.5 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1               6          128005   500.0 MiB   AF0B  iBootSystemContainer
   2          128006        24542213   93.1 GiB    AF0A  Container
   3        24542214        25152517   2.3 GiB     AF0A  
   4        25152518        25277701   489.0 MiB   EF00  
   5        25277702        29424901   15.8 GiB    8300  
   6        59968630        61279338   5.0 GiB     AF0C  RecoveryOSContainer

一般狀況就是 gpt code AF0A會有問題。

blkid

blkid 看磁區資訊,則沒有什麼異常

root@debian:/home/thomas# blkid
/dev/nvme0n1p5: UUID="b2987700-28dd-450a-b0e9-5f2e8a121cbb" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="e77b2894-4740-45b1-951c-f61d4b8f97d2"
/dev/nvme0n1p3: UUID="0f126770-2c2b-4b91-b298-fd08d20a9988" BLOCK_SIZE="4096" TYPE="apfs" PARTUUID="e3a97025-7b7f-4d26-8ecf-416316ce27c6"
/dev/nvme0n1p1: UUID="27a5e297-e02e-4c76-aca0-ba66b8f95bea" BLOCK_SIZE="4096" TYPE="apfs" PARTLABEL="iBootSystemContainer" PARTUUID="904b9d04-bdea-4471-a4ec-7bd17b74b469"
/dev/nvme0n1p6: UUID="64a78f4b-c221-4b3f-b480-8afb00b9562d" BLOCK_SIZE="4096" TYPE="apfs" PARTLABEL="RecoveryOSContainer" PARTUUID="1b4755bf-8391-4c0e-9e84-c11fe3775627"
/dev/nvme0n1p4: LABEL_FATBOOT="EFI - DEBIA" LABEL="EFI - DEBIA" UUID="BFFB-100B" BLOCK_SIZE="4096" TYPE="vfat" PARTUUID="38514106-b274-4e79-94d1-45696d24307f"
/dev/nvme0n1p2: UUID="7e9b172c-ef57-465e-b10c-c65888e706fa" BLOCK_SIZE="4096" TYPE="apfs" PARTLABEL="Container" PARTUUID="e8152f74-d982-4cab-af9c-d4044b932f83"

fsapfsinfo

安裝 libfsapfs-utils 之後可以用程式 fsapfsinfo 檢視 APFS 摘要資訊。

可以看到 nvme0n1p1 可以正常讀取資訊

/usr/bin/fsapfsinfo /dev/nvme0n1p1
fsapfsinfo 20201107

Apple File System (APFS) information:                                                                                                                                                       
Container information:                                                
        Identifier                      : 27a5e297-e02e-4c76-aca0-ba66b8f95bea 
        Number of volumes               : 4 
Volume: 1 information: 
        Identifier                      : cee8dbdc-009a-4270-9783-f8fbc70981b5
        Name                            : iSCPreboot 
        Compatible features             : 0x00000002 
                (NX_FEATURE_LCFD) 
 
        Incompatible features           : 0x00000001 
                (NX_INCOMPAT_VERSION1) 

        Read-only compatible features   : 0x00000000
....
....
....

受保護的 APFS:

此外以 fsapfsinfo 檢視受保護的 APFS
可以看到 nvme0n1p2 無法正常讀取資訊

root@debian:/home/thomas# /usr/bin/fsapfsinfo /dev/nvme0n1p2
fsapfsinfo 20201107                                                                           

Unable to open: /dev/nvme0n1p2.
libcaes_context_initialize: unable to set padding in context with error: error:00000000:lib(0)::reason(0).
libcaes_tweaked_context_initialize: unable to initialize main context.
libfsapfs_encryption_context_initialize: unable to initialize decryption context.
libfsapfs_container_key_bag_read_file_io_handle: unable to initialize encryption context.
libfsapfs_internal_container_open_read: unable to read container key bag at offset: 16803950592 (0x3e997f000).
libfsapfs_container_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input container.

可以看到關鍵錯誤訊息libfsapfs_container_key_bag_read_file_io_handle: unable to initialize encryption context.

所以目前確認預設安裝是有啟動保護措施,相關的APFS有

/dev/nvme0n1p1: 一般 - iBootSystemContainer
/dev/nvme0n1p2: 保護 - Container / MAC-OS
/dev/nvme0n1p3: 保護 - NA / for m1-debian only
/dev/nvme0n1p6: 一般 - RecoveryOSContainer

原因!

證實有啟動保護措施
Mac with Apple silicon, Data Protection defaults to Class C (see Data Protection classes)

On a Mac with Apple silicon, Data Protection defaults to Class C (see Data Protection classes) but utilises a volume key rather than a per-extent or per-file key — effectively recreating the security model of FileVault for user data. Users must still opt in to FileVault to receive the full protection of entangling the encryption key hierarchy with their password. Developers can also opt in to a higher protection class that uses a per-file or per-extent key.

文章出處:
https://support.apple.com/en-in/guide/security/secb010e978a/1/web/1
https://support.apple.com/en-in/guide/security/secf6276da8a/1/web/1

手動 usb storage 加密進行測試

手動於 MAC OS 將外接隨身碟進行 APFS 格式加密,再用 fsapfsinfo 檢視 APFS 看看錯誤訊息為何?!結果就是一樣libfsapfs_encryption_context_initialize: unable to initialize decryption context.

thomas@debian-lab:~/tmp/mnt/tmp/macminim2$ sudo /usr/bin/fsapfsinfo /dev/sdc2
fsapfsinfo 20201107

Unable to open: /dev/sdc2.
libcaes_context_initialize: unable to set padding in context with error: error:00000000:lib(0)::reason(0).
libcaes_tweaked_context_initialize: unable to initialize main context.
libfsapfs_encryption_context_initialize: unable to initialize decryption context.
libfsapfs_container_key_bag_read_file_io_handle: unable to initialize encryption context.
libfsapfs_internal_container_open_read: unable to read container key bag at offset: 16777302016 (0x3e8015000).
libfsapfs_container_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input container.

解密 or 解除保護

因為 On a Mac with Apple silicon, Data Protection defaults to Class C 會讓 Clonezilla 以 dd 進行 APFS 備份,所以尋找解法,讓 linux tools or partclone 可以進行備份。

經過大量查詢可能的問題之後,發現主要是 security policy 差異造成的,預設為 Full Security ,只有signed 過的程式可以讀取;反之,就只有修改為 Reduced Security

Full Security: Ensures that only your current OS, or signed operating system software currently trusted by Apple, can run. This mode requires a network connection at software installation time.
Reduced Security: Allows any version of signed operating system software ever trusted by Apple to run.

節錄過程如下:

If you’re the administrator of the Mac, you can change the level of security used on your startup disk.

On the Mac with Apple silicon, choose Apple menu > Shut Down.

Press and hold the power button until “Loading startup options” appears.

Click Options, then click Continue.

Select a startup disk, then click Next.

Select an administrator account, then click Next.

Enter the password for the administrator account, then click Continue.

In the Recovery app, choose Utilities > Startup Security Utility.

Select the system you want to use to set the security policy.

If the disk is encrypted with FileVault, click Unlock, enter the password, then click Unlock.

Click Security Policy.

Select one of the following security options:

   Full Security: Ensures that only your current OS, or signed operating system software currently trusted by Apple, can run. This mode requires a network connection at software installation time.

   Reduced Security: Allows any version of signed operating system software ever trusted by Apple to run.

If you selected Reduced Security, select any of the following options, if needed:
Startup Security Utility window showing the Reduced Security options.

   Allow user management of kernel extensions from identified developers: Allows installation of software that uses legacy kernel extensions.

   Allow remote management of kernel extensions and automatic software updates: Authorizes remote management of legacy kernel extensions and software updates using a mobile device management (MDM) solution.

完成上述操作之後,再用 m1-debian or Clonezilla Live 去讀取 APFS 就都是解密狀態,且可以備份與還原!

以上前題是預設狀態,也就是使用者沒有手動進行 APFS 加密,如果有,還是需要先進行解密,再設定為 Reduce Security 才可以備份。

Reference

https://support.apple.com/en-vn/guide/mac-help/mchl768f7291/mac
https://support.apple.com/en-vn/guide/mac-help/mchl0f9af76f/15.0/mac/15.0