Comment by larkost
4 years ago
I disagree with your assertion that the requirement for the internal SSD was a marketing decision (your word was "corporate", but that could mean anything). I think that it was probably a technical decision.
Likely there is a very small bit of bootstrap code stuffed into a ROM somewhere, and the only thing that bootstrap code enables it to read from some protected part of the onboard SSD, which then gives you the next round of bootstrap enabling you to read from other devices (e.g. all the code needed to power up and use the hardware needed to get to an external drive, and the code to read the partitions on said drive).
Someone made the decision that it would be better to use the bit of internal SSD (since it would "always" be there), that could be changed later, rather than hard-code this into comparatively expensive silicon. Unless your internal drive goes bad, it is a pretty good compromise. I seriously doubt that anyone in marketing cared about this.
Support for external disks massively increases the attack surface of the security-sensitive iBoot bootloader, and anything messing with USB (nevermind Thunderbolt) is almost guaranteed to have exploitable attack surface. This was absolutely a technical decision. iBoot is a lot simpler not supporting external storage.
The SecureROM boots iBoot1 from NOR flash, then that has the SSD driver code. It would certainly be possible to add support for external storage, as long as it still fits in NOR. But I doubt they will.
(not the GP) I think you are attacking the strawman here, as your own post admits, by interpreting "corporate" as exclusively "marketing" and not including technical folks in it. I agree with you the decision is also partially driven by technical folks at the company, but given macOS on ARM is really closer to iOS, the natural course of action would have been to simply clone the iOS model of secure boot, not to rethink it. That observation alone almost certainly implies it has been given explicit thought at relatively senior levels of the engineering hierarchy, at the very least.
My take is the company deliberated about this trade-off quite explicitly at some length and decided the Mac serves the world in its current capacity as a "computer" (i.e. the truck in the truck vs car analogy) and that they do not wish to limit the capabilities of the existing Mac that people love in any shape or form by moving to ARM, which was highly speculated and ripe for potential backlash. They probably decided the Mac would be an "open" system to some degree (at least as open as it already was) and iOS would be the closed mass market computing device optimizing for security and dependable end-to-end experience.