Skip to content

Instantly share code, notes, and snippets.

@jcs
Last active April 2, 2024 20:18
Show Gist options
  • Star 58 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save jcs/5573685 to your computer and use it in GitHub Desktop.
Save jcs/5573685 to your computer and use it in GitHub Desktop.
macOS FileVault encryption and OpenBSD encrypted softraid on a Macbook Air/Pro

###Mac OS X FileVault encryption and OpenBSD encrypted softraid on a Macbook Air

OpenBSD -current works pretty well on my Mid-2011 Macbook Air (A1370, SandyBridge) and Mid-2013 Macbook Air (Haswell). The new KMS code brings up the MBA's eDP display in 1366x768 with backlight control. ACPI works as expected for battery/AC status, CPU throttling, and full suspend/resume support. The Broadcom wireless card does not work, so for now I am using this tiny USB adapter (urtwn) which is rather unobtrusive when plugged in.

The Broadcom multi-touch trackpad is supported as of 5.4-current with the ubcmtp driver, allowing for two-finger scrolling and 2- and 3-button emulation by clicking with multiple fingers.

Dual-booting with Mac OS X is fairly easy, but once FileVault is enabled for full-disk encryption of Mac OS, it clobbers the path to boot back into OpenBSD. Here's how to get both OSes working, each with its own disk encryption, without having to use rEFIt or anything else.

Update: Something may have changed in recent OS X versions that make it no longer possible to see the OpenBSD partition (which shows up as a Bootcamp/Windows icon) in the OS X boot menu. This may be because older Boot Camp did all of the protective MBR stuff because older versions of Windows did not support GPT disks and BCA no longer supports Windows 7. If your system does not show the Bootcamp/Windows disk when booting with Alt pressed, you may need to install rEFInd which will find the OpenBSD partition and even show a blowfish icon.

####Mac OS X Configuration

  1. If FileVault is already enabled, turn it off and decrypt the SSD. Try not to get your machine stolen in the next 20 minutes.

  2. Use Boot Camp Assistant to partition the hard drive, slicing off a portion of the end of the drive for OpenBSD (I used 30Gb on a 256Gb SSD). If BCA just pukes up an error that it couldn't repartition the drive, reboot into the recovery partition, run Disk Utility, and use Repair Disk on the SSD. My drive had some hard-link errors that were fixable but were probably preventing BCA's automated verify+repartition process from working. Some defragmenting may also be required to move blocks around to clear up space at the end of the drive (I'm not sure if BCA does this, but I have a copy of iDefrag that I used). Also, BCA will probably complain that there is no Windows DVD, so I had a Windows 7 DVD mounted (from my isostick) so BCA would think it's installing Windows 7.

  3. After BCA repartitions and reboots, it will try to boot to the Windows 7 DVD. Bail on that and boot to an OpenBSD CD (again, I used my isostick).

####OpenBSD Booting

On older MacBooks with USB 2, things should just work when booting into OpenBSD.

On newer (2013) MacBooks with USB 3, you will probably have to force the firmware to boot into "legacy" mode to downgrade the USB controller to USB 2 to allow the built-in keyboard (and any other USB components) to work since OpenBSD does not (yet) have a working xhci driver. To do this, use bless within OS X with the legacy flag. For example, to boot the OpenBSD CDROM (or an isostick in my case) on disk1 in legacy mode:

jcs@air:~> diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                  Apple_HFS mac                     200.1 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
   4:       Microsoft Basic Data BOOTCAMP                50.0 GB    disk0s4
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                            OpenBSD/amd64   5.4... *243.4 MB   disk1
/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:     FDisk_partition_scheme                        *63.9 GB    disk2
   1:                 DOS_FAT_32 ISOSTICK                63.9 GB    disk2s1
   
jcs@air:~> sudo bless --device /dev/disk1 --setBoot --nextonly --legacy

Note that due to some bug in the MacBook's firmware (present on at least the 2013 Haswell MBA), blessing with --legacy but without --nextonly will not work. Unfortunately since --nextonly is required, this means that it is not possible to permanently select OpenBSD as the boot partition while still having USB 2 emulation.

Once bless is run, reboot the machine without holding alt/option and it will boot to that device automatically in legacy mode with a working keyboard.

####OpenBSD Installation

Note: Newer MacBooks have different AHCI controllers that bring up the SSD in native/SCSI mode, so the SSD will be sd0.

  1. When OpenBSD boots, choose (S)hell, run fdisk -e wd0 and there should be an MSDOS partition already sliced out from BCA. Change its type to A6 and quit. disklabel -E wd0, create a new slice taking the defaults for the new OpenBSD partition, and use RAID as the type. Write/quit.

  2. bioctl -cC -l /dev/wd0a softraid0 to create a new softraid encrypted disk from the just-added RAID partition, and enter a passphrase. sd1 should show up (my isostick's USB drive takes sd0).

  3. install to get back to the installer, use sd1 as the root disk, proceed as normal.

  4. Reboot and it should boot to the OpenBSD bootloader as usual, prompting for the encryption passphrase. If it boots back to Mac OS X, reboot and hold down the Alt/Option key at the startup chime and it should let you arrow over to choose the "Windows" disk (which is OpenBSD).

  5. Verify that things are working. Wireless won't, but otherwise everything else should.

####Mac OS X Encryption

  1. Once OpenBSD is installed and working, reboot back into Mac OS X (using Alt/Option if it doesn't default back to Mac OS).

  2. Enable FileVault, which will require a reboot. The previous Windows/Bootcamp boot option is now gone, but it's just temporary.

  3. Let FileVault start encrypting, and run gdisk /dev/disk0 from xterm/terminal. If you don't already have gdisk, download it (available via Homebrew as gptfdisk), it's a lifesaver.

  4. In gdisk, first run p to see the partition table. You should have an EFI partition, an AF05 Mac partition, an AB00 recovery partition, and your OpenBSD/Bootcamp partition (which may have a type of FFFF).

  5. Use t to change the type of your Bootcamp partition to 0700 (a FAT partition). Enter r to enter recovery menu, then h to build a Hybrid MBR. You will get a face full of warnings and then asked to enter a list of partitions. Enter 2 3 4 to add your 3 real partitions, and answer y to adding the first EFI partition.

  6. Confirm the defaults for partitions 2 and 3, but change partition 4's type to A6 for OpenBSD. Flag it to be bootable. w to write and quit.

  7. When you reboot again (you can do it while FileVault is still encrypting, it'll resume itself at next boot) and hold down Alt/Option at the startup chime, you should now see the Windows disk again as a boot option. Confirm that it boots back to the OpenBSD bootloader, then make sure you can boot back into Mac OS. If you don't see the Windows option in the boot menu, you may need to install a 3rd party EFI bootloader like rEFIt (see the note at the start of this document).

  8. Boot back into Mac OS and let FileVault finish encrypting.

  9. To permanently set OpenBSD as the default boot partition, run /usr/sbin/bless --device /dev/disk0s4 --setBoot --legacy. Now booting into Mac OS will require holding down Alt.

  10. Boot back into OpenBSD and get some work done.

####Future

Every major OS X upgrade I've done has clobbered the OpenBSD partition in the GPT disk label, making it impossible to boot back to OpenBSD. Before doing any major OS X upgrade, I would recommend turning off FileVault encryption and/or having a copy of gdisk around to re-add the 0700 BOOTCAMP partition to the GPT label and also recreate the hybrid MBR (with the OpenBSD a6 partition).

####TODO

  • Figure out what is causing problems (interrupts?) on the 2013 Haswell MBA that makes OpenBSD lock up when trying to attach additional cpus on an MP kernel when not booting in --legacy mode, and causing USB attachment failures with the new xhci driver on an SP kernel.

  • Figure out how to disable startup chime from OpenBSD (StartupSound doesn't seem to work on Mountain Lion anymore, what is it doing anyway? Writing something to NVRAM?)

@dcoppa
Copy link

dcoppa commented May 16, 2013

See:

http://osxdaily.com/2012/11/04/disable-mac-boot-chime/

for some tips that seem to work on Mountain Lion.

ciao,
David

Copy link

ghost commented Aug 7, 2013

How did you create the OpenBSD USB ISO-stick ?

@jcs
Copy link
Author

jcs commented Aug 15, 2013

@oleguldberg It's an isostick so when you plug it in it shows up as a USB drive (with a FAT filesystem) and a CDROM. I just copied the OpenBSD install54.iso file to the FAT drive, put its name in config.txt, unplugged the ISO stick and plugged it back in, and the CDROM then shows the OpenBSD image as if it were an actual CDROM drive with that disc in it. They're very handy because you can put a ton of different ISO images on it at once, and just switch between them on the fly. You can also store drivers and other files on the FAT partition to use between OSes.

@alexjj
Copy link

alexjj commented Nov 26, 2013

If you boot into OS X and mute the volume this will stop the chime.

@polachok
Copy link

sudo bless --device /dev/disk1 --setBoot --nextonly --legacy

I tried that on late 2013 MBP to boot from a usb stick with openbsd installed. Keyboard works in boot> prompt, but doesn't work later, and it can't find root because of XHCI. Damn.
https://twitter.com/plhk_/status/437359568415236096/photo/1

@alvarezgregory
Copy link

Awesome tuto, thanks ! How did you configure the 2-3 button emulation on the touchpad ?

@jcs
Copy link
Author

jcs commented Jan 20, 2015

synclient can be used once in X to manage everything related to trackpad buttons and emulation.

@jturner
Copy link

jturner commented Apr 9, 2015

I was able to get the trackpad to work without issue and I'm able to boot OpenBSD without rEFInd. My only remaining issue is I'm not able to get past cpu1 detection without booting with --nextonly every time. Which isn't the end of the world.

@gonzalo-
Copy link

anyone boot OpenBSD on a macbookpro12,1?

@brycv
Copy link

brycv commented Dec 6, 2015

With 5.8-current as of basically December 1, the MacBookPro12,1 works reasonably well. Mark Kettenis has one and has been fixing a bunch of things so it runs reasonably well. Broadwell graphics still has some bugs. You can boot a USB install disk that's been created with UEFI boot support and then install the same way. See Jasper's post for details on how to do the UEFI install. The installer has also gained lots of UEFI support but I haven't tested that yet.

@vanhecke
Copy link

Thanks for the updating the document to -current @jcs!
Repartitioning the SSD never works for me in OSX, it does work in recovery mode.

I'm having trouble with the last step:

mkdir /efi;
mount -t msdos /dev/sd0i /efi;
mount_msdos: /dev/sd0i on /efi: Device not configured

-> disklabel -h only shows the RAID partition.

I rebooted anyhow and refind was still showing the original MSDOS partition I created in recovery mode.
I just pick that option and openbsd boots fine, but no video (not even VESA, I used to get VESA in 5.6 and 5.7).

It seems like OpenBSD didn't write anything to the ESP partition.. (Because of the disk encryption maybe?)

Xorg.log : https://gist.github.com/aa816aa9745fad2ee72d
dmesg: https://gist.github.com/ccd823c4db36cf949816

@alexjj
Copy link

alexjj commented Dec 12, 2015

Last time I dual booted a Mac (it was linux) I muted the volume in OS X and that stopped the start up chime. Doesn't address your TODO specifically though.

@gyakovlev
Copy link

Hey @vanhecke, I had the same problem. Cannot mount sd0i from within OpenBSD.
The solution is to mount the EFI partition to /Volumes/EFI in OS X and place appropriate BOOTX64.EFI to /Volumes/EFI/EFI/BOOT/
No need to install refind, just hold option on boot and choose non osx partition.

@jcs
Copy link
Author

jcs commented Mar 15, 2016

@gyakovlev @vanhecke The problem you probably ran into is that Apple's Disk Utility chooses to create a hybrid MBR when adding an MSDOS partition, rather than just creating an MBR with one big EE/protective partition. This causes OpenBSD's fdisk and kernel to see the disk as MBR and ignore the GPT, and since the hybrid MBR doesn't have an EFI system partition sliced out (this is different than the EE/protective partition), OpenBSD doesn't recognize a FAT partition anywhere.

The workaround for this (from krw@) is to choose HFS+ when slicing off a partition for OpenBSD, which should cause Disk Utility to not use a hybrid MBR but instead just create one big EE/protective partition in the MBR, which will allow the OpenBSD kernel and fdisk to see the disk as GPT, which will cause the FAT partition to show up (sd0i or similar) and allow the installer to mount the EFI partition. I've updated the notes here to recommend choosing HFS+ for the new partition type in Disk Utility.

@gyakovlev
Copy link

@jcs you are right. I've screwed my installation doing some wicked triple-boot encryption.

Had to do a clean OSX install and chose HFS+ partition while claiming space for other OSes.

There is no Hybrid MBR, only protective EE.

sudo fdisk /dev/disk0                                                                                            1 ↵  1084  15:28:49
Password:
Disk: /dev/disk0    geometry: 60821/255/63 [977105060 sectors]
Signature: 0xAA55
         Starting       Ending
 #: id  cyl  hd sec -  cyl  hd sec [     start -       size]
------------------------------------------------------------------------
 1: EE    0   0   1 - 1023 254  63 [         1 -  977105059] <Unknown ID>
 2: 00    0   0   0 -    0   0   0 [         0 -          0] unused
 3: 00    0   0   0 -    0   0   0 [         0 -          0] unused
 4: 00    0   0   0 -    0   0   0 [         0 -          0] unused

Will try the OpenBSD installation soon and report if 5.9 or current installer worked for me.

@systeemkabouter
Copy link

Who else is here in 2019 and used this to successfully install OpenBSD 6.5 next to MacOS Mojave on his late 2013 Macbook?

Just to let anyone know that these excellent instructions are very valid for the above combo. Nice. And thanks a lot

@tbaumgard
Copy link

A few notes for those seeing this in early 2020:

  • I got this to work using macOS Catalina and OpenBSD -current as of 2020-02-25. Things function properly as far as I can tell.
  • The Broadcom wireless card from the MacBook Pro (BCM943602CS) mentioned didn't work in at least the 2012 version of the 11" MacBook Air I have. The card is too long and the antenna cables don't reach. I suspect it only works in the 13" models, but I'd be happy to be proven wrong.
  • I didn't need to mount the UEFI ESP partition to move the bootloaders (step 6 at the time of writing) or install rEFInd. Simply holding down alt/option after hearing the boot chime will show an EFI Boot drive that corresponds to OpenBSD. rEFInd allows for far more customization, but I didn't need that for my purposes. gyakovlev's comment tipped me off to this.
  • It appears that synclient(1) may no longer be useful for configuring the trackpad based on what I've seen elsewhere on the internet and what it returns on my laptop. It appears wsconsctl(8) is meant to be used now, but I've really only ever used OpenBSD in a server environment and could be wrong. I got natural scrolling and two/three-button emulation through tapping by setting mouse.reverse_scrolling=1 and mouse.tp.tapping=1 in /etc/wsconsctl.conf(5). Is there a way to get this working with a trackpad click rather than a tap to mimic macOS behavior?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment