Recently, a reader sent me the following question:
Larry, I have heard people are concerned about SoftRaid forcing a compromise with the T2 security feature on Macs. I don’t understand the risks, but wonder if you have insights. I am considering buying this OWC U.2 RAID using 4x2TB Samsung 970 EVOs.
I contacted the folks at OWC to learn more and here is their response.
(Image courtesy of Pew Nguyen at Pexels.com.)
In the current version of macOS, there is no reason to lower the security settings on Intel Macs. Therefore, I think we only need to address M1 Macs. [When using 3rd-party storage on] M1 Macs, users must reduce security and this is the concern we should focus on.
Starting with macOS 10.14.5, the operating system requires all 3rd party drivers to be scanned for malware and cryptographically signed by Apple prior to being released by the developer. If a driver has not been scanned, found to be malware free and signed by Apple, macOS will refuse to load it. This restriction has been part of every release of macOS since 10.14.5 and is probably the single biggest reason that macOS is relatively malware free.
This code signature also allows macOS to detect if a driver has been modified. After a driver has been modified, the code signature no longer matches the code in the driver and macOS will refuse to load it.
With the M1 Macs, Apple wanted to add an additional feature to further prevent malware on macOS. This feature, when enabled, only allows the latest version of macOS to be installed and run and prevented all third-party drivers from loading. This means you can’t install and run an older version of macOS and you can’t load any drivers that Apple didn’t build. This setting is called “Full Security” in the Startup Security Utility.
Larry notes: 3rd-party drivers are system-level software that controls external gear like storage, control panels, audio interfaces and the like.
Unfortunately, this restriction renders an M1 Mac unusable for many professional video editors and photographers. These users are not just surfing the web or watching movies on their Macs but need to add additional hardware and software in order to create compelling content for others to watch. In order to use this non-Apple hardware and software, users must use the Startup Security Utility and choose “Reduced Security.”
So, if you chose “Reduced Security,” are you opening your Mac up to any malware available on the Internet? No, far from it. Even with this setting, M1 Macs will only load versions of macOS and 3rd party drivers which have been scanned for malware and signed by Apple. Even with this “Reduced Security” setting, you are still protected from malware by Apple’s cryptographic code signature checking mechanism. The code signature of every 3rd party driver is checked when the driver is first installed.
In addition, the code signature of macOS together with all the currently installed 3rd party drivers is checked every time your Mac starts up. If the code signature of macOS and the drivers is missing or the signature doesn’t match the currently installed driver and operating system files (because one or more files have been modified), your Mac will refuse to startup.
This new startup technology, introduced in macOS 10.15, is called SSV (Signed System Volumes) and is fully enabled even when “Reduced Security” is enabled on M1 Macs.
For a complete description of how macOS checks this code signature see the Apple documentation on Signed System Volumes.