###Mac OS X FileVault encryption and OpenBSD encrypted softraid on a Macbook Air
OpenBSD -current works pretty well on my Mid-2011 Macbook Air (A1370, SandyBridge) and Mid-2013 Macbook Air (Haswell). The new KMS code brings up the MBA's eDP display in 1366x768 with backlight control. ACPI works as expected for battery/AC status, CPU throttling, and full suspend/resume support. The Broadcom wireless card does not work, so for now I am using this tiny USB adapter (urtwn
) which is rather unobtrusive when plugged in.
The Broadcom multi-touch trackpad is supported as of 5.4-current with the ubcmtp
driver, allowing for two-finger scrolling and 2- and 3-button emulation by clicking with multiple fingers.
Dual-booting with Mac OS X is fairly easy, but once FileVault is enabled for full-disk encryption of Mac OS, it clobbers the path to boot back into OpenBSD. Here's how to get both OSes working, each with its own disk encryption, without having to use rEFIt or anything else.
Update: Something may have changed in recent OS X versions that make it no longer possible to see the OpenBSD partition (which shows up as a Bootcamp/Windows icon) in the OS X boot menu. This may be because older Boot Camp did all of the protective MBR stuff because older versions of Windows did not support GPT disks and BCA no longer supports Windows 7. If your system does not show the Bootcamp/Windows disk when booting with Alt pressed, you may need to install rEFInd which will find the OpenBSD partition and even show a blowfish icon.
####Mac OS X Configuration
-
If FileVault is already enabled, turn it off and decrypt the SSD. Try not to get your machine stolen in the next 20 minutes.
-
Use Boot Camp Assistant to partition the hard drive, slicing off a portion of the end of the drive for OpenBSD (I used 30Gb on a 256Gb SSD). If BCA just pukes up an error that it couldn't repartition the drive, reboot into the recovery partition, run Disk Utility, and use Repair Disk on the SSD. My drive had some hard-link errors that were fixable but were probably preventing BCA's automated verify+repartition process from working. Some defragmenting may also be required to move blocks around to clear up space at the end of the drive (I'm not sure if BCA does this, but I have a copy of iDefrag that I used). Also, BCA will probably complain that there is no Windows DVD, so I had a Windows 7 DVD mounted (from my isostick) so BCA would think it's installing Windows 7.
-
After BCA repartitions and reboots, it will try to boot to the Windows 7 DVD. Bail on that and boot to an OpenBSD CD (again, I used my isostick).
####OpenBSD Booting
On older MacBooks with USB 2, things should just work when booting into OpenBSD.
On newer (2013) MacBooks with USB 3, you will probably have to force the firmware to boot into "legacy" mode to downgrade the USB controller to USB 2 to allow the built-in keyboard (and any other USB components) to work since OpenBSD does not (yet) have a working xhci
driver. To do this, use bless
within OS X with the legacy
flag. For example, to boot the OpenBSD CDROM (or an isostick in my case) on disk1
in legacy mode:
jcs@air:~> diskutil list
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *251.0 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_HFS mac 200.1 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
4: Microsoft Basic Data BOOTCAMP 50.0 GB disk0s4
/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: OpenBSD/amd64 5.4... *243.4 MB disk1
/dev/disk2
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *63.9 GB disk2
1: DOS_FAT_32 ISOSTICK 63.9 GB disk2s1
jcs@air:~> sudo bless --device /dev/disk1 --setBoot --nextonly --legacy
Note that due to some bug in the MacBook's firmware (present on at least the 2013 Haswell MBA), bless
ing with --legacy
but without --nextonly
will not work. Unfortunately since --nextonly
is required, this means that it is not possible to permanently select OpenBSD as the boot partition while still having USB 2 emulation.
Once bless
is run, reboot the machine without holding alt/option and it will boot to that device automatically in legacy mode with a working keyboard.
####OpenBSD Installation
Note: Newer MacBooks have different AHCI controllers that bring up the SSD in native/SCSI mode, so the SSD will be sd0
.
-
When OpenBSD boots, choose
(S)hell
, runfdisk -e wd0
and there should be an MSDOS partition already sliced out from BCA. Change its type toA6
and quit.disklabel -E wd0
, create a new slice taking the defaults for the new OpenBSD partition, and useRAID
as the type. Write/quit. -
bioctl -cC -l /dev/wd0a softraid0
to create a new softraid encrypted disk from the just-added RAID partition, and enter a passphrase.sd1
should show up (my isostick's USB drive takessd0
). -
install
to get back to the installer, usesd1
as the root disk, proceed as normal. -
Reboot and it should boot to the OpenBSD bootloader as usual, prompting for the encryption passphrase. If it boots back to Mac OS X, reboot and hold down the Alt/Option key at the startup chime and it should let you arrow over to choose the "Windows" disk (which is OpenBSD).
-
Verify that things are working. Wireless won't, but otherwise everything else should.
####Mac OS X Encryption
-
Once OpenBSD is installed and working, reboot back into Mac OS X (using Alt/Option if it doesn't default back to Mac OS).
-
Enable FileVault, which will require a reboot. The previous Windows/Bootcamp boot option is now gone, but it's just temporary.
-
Let FileVault start encrypting, and run
gdisk /dev/disk0
from xterm/terminal. If you don't already have gdisk, download it (available via Homebrew asgptfdisk
), it's a lifesaver. -
In
gdisk
, first runp
to see the partition table. You should have an EFI partition, anAF05
Mac partition, anAB00
recovery partition, and your OpenBSD/Bootcamp partition (which may have a type ofFFFF
). -
Use
t
to change the type of your Bootcamp partition to0700
(a FAT partition). Enterr
to enter recovery menu, thenh
to build a Hybrid MBR. You will get a face full of warnings and then asked to enter a list of partitions. Enter2 3 4
to add your 3 real partitions, and answery
to adding the first EFI partition. -
Confirm the defaults for partitions 2 and 3, but change partition 4's type to
A6
for OpenBSD. Flag it to be bootable.w
to write and quit. -
When you reboot again (you can do it while FileVault is still encrypting, it'll resume itself at next boot) and hold down Alt/Option at the startup chime, you should now see the Windows disk again as a boot option. Confirm that it boots back to the OpenBSD bootloader, then make sure you can boot back into Mac OS. If you don't see the Windows option in the boot menu, you may need to install a 3rd party EFI bootloader like rEFIt (see the note at the start of this document).
-
Boot back into Mac OS and let FileVault finish encrypting.
-
To permanently set OpenBSD as the default boot partition, run
/usr/sbin/bless --device /dev/disk0s4 --setBoot --legacy
. Now booting into Mac OS will require holding down Alt. -
Boot back into OpenBSD and get some work done.
####Future
Every major OS X upgrade I've done has clobbered the OpenBSD partition in the GPT disk label, making it impossible to boot back to OpenBSD. Before doing any major OS X upgrade, I would recommend turning off FileVault encryption and/or having a copy of gdisk
around to re-add the 0700 BOOTCAMP
partition to the GPT label and also recreate the hybrid MBR (with the OpenBSD a6
partition).
####TODO
-
Figure out what is causing problems (interrupts?) on the 2013 Haswell MBA that makes OpenBSD lock up when trying to attach additional
cpu
s on an MP kernel when not booting in--legacy
mode, and causing USB attachment failures with the newxhci
driver on an SP kernel. -
Figure out how to disable startup chime from OpenBSD (StartupSound doesn't seem to work on Mountain Lion anymore, what is it doing anyway? Writing something to NVRAM?)
See:
http://osxdaily.com/2012/11/04/disable-mac-boot-chime/
for some tips that seem to work on Mountain Lion.
ciao,
David