Skip to content

Instantly share code, notes, and snippets.

@jcs
Last active April 2, 2024 20:18
Show Gist options
  • Save jcs/5573685 to your computer and use it in GitHub Desktop.
Save jcs/5573685 to your computer and use it in GitHub Desktop.
macOS FileVault encryption and OpenBSD encrypted softraid on a Macbook Air/Pro

Update (2019-05-06): The Broadcom wireless card in the MacBook Pro works and can be crammed into the Air.

Update (2015-12-04): This document used to be very lengthy as there were many manual steps required to get OpenBSD and Mac OS X working together through Boot Camp Assistant (BCA), which created a hybrid MBR and enabled a legacy BIOS emulation mode which older versions of Windows (and OpenBSD) required. Newer Macbooks stopped supporting older versions of Windows through BCA and now only support Windows 10 since it uses GPT and UEFI. However, now that newer versions of OpenBSD support GPT and UEFI, Boot Camp Assistant is no longer needed at all to boot OpenBSD.

macOS FileVault encryption and OpenBSD encrypted softraid on a Macbook Air/Pro

OpenBSD works pretty well on at least the Mid-2011 Macbook Air (A1370, SandyBridge) and Mid-2013 Macbook Air (Haswell). The new KMS code in 5.4 brings up the MBA's eDP display in 1366x768 with backlight control. ACPI works as expected for battery/AC status, CPU throttling, and full suspend/resume support. The Broadcom wireless card in the Pro works with the bwfm driver and can be installed into the Air, or one can use this tiny USB adapter (urtwn) which is rather unobtrusive when plugged in.

The Broadcom multi-touch trackpad is supported as of 5.5 with the ubcmtp driver, allowing for two-finger scrolling and 2- and 3-button emulation by clicking with multiple fingers.

5.8-current brought new or improved support for GPT, UEFI, USB 3, and Thunderbolt (at least Apple's gigabit ethernet adapter, supported by bge). GPT and UEFI support allow OpenBSD to co-exist with Mac OS X without the need for Boot Camp Assistant or Hybrid MBRs (though rEFInd is suggested for a graphical boot menu to choose between the OSes). Here's how to get both OSes working, each with its own disk encryption.

macOS Configuration

  1. Encrypt your drive by enabling FileVault. This will convert it into a Core Storage volume.

  2. Open Disk Utility, click on your hard disk (the drive, not the Mac OS X partition) and click Partition. Click "+" and add an HFS+ partition (choosing MSDOS for the type will create a Hybrid MBR which will cause problems later) of your chosen size that will be used for OpenBSD. Disk Utility will do a live resize and hopefully create your new partition. Pro tip: open a terminal before doing the resize, and tail -f /var/log/system.log to see the output of hfs_truncatefs doing its thing. This can take a half hour or more.

OpenBSD Installation

  1. Download the latest OpenBSD amd64 installXX.fs and dd it to a USB disk. Pro tip: if you're using a USB wireless device that requires firmware (like urtwn), download it manually from firmware.openbsd.org and put it on removable media (or possibly even your existing EFI MSDOS partition). Otherwise you won't have a network device available with which to download firmware for your network device.

  2. Reboot your Mac and hold down the Alt key immediately after the startup chime. Select the orange 'EFI Boot' disk.

  3. When OpenBSD boots, choose (S)hell, run fdisk -e sd0 and there should be a new HFS+ partition already sliced out from Disk Utility. Change its type to A6 and quit. disklabel -E sd0, create a new slice taking the defaults for the new OpenBSD partition, and use RAID as the type. Write/quit.

  4. bioctl -cC -l /dev/sd0a softraid0 to create a new softraid encrypted disk from the just-added RAID partition, and enter a passphrase. A new sd device should show up.

  5. install to get back to the installer, use sd2 or whatever was just created as the root disk, proceed as normal. When prompted, choose to use the "(W)hole disk MBR" for sd2, as the current bootloader only supports MBR partitions on softraid devices.

  6. Before rebooting, mount the UEFI ESP partition of your hard drive and move the bootloaders OpenBSD just installed from /EFI/boot (the default EFI location) to an /EFI/openbsd directory, since we will be dual-booting and rEFInd needs to see them in an openbsd directory instead. mkdir /efi; mount -t msdos /dev/sd0i /efi; mkdir /efi/EFI/openbsd; mv /efi/EFI/boot/boot* /efi/EFI/openbsd/

  7. reboot. Your Mac should boot back into OS X.

Dual booting

  1. In macOS, install rEFInd per the instructions there. Reboot and you should now see a graphical boot menu with the OpenBSD blowfish. Selecting OpenBSD should boot to the usual bootloader, prompting you for your softraid passphrase.

TODO

  • Figure out how to disable startup chime from OpenBSD (StartupSound doesn't seem to work on Mountain Lion anymore, what is it doing anyway? Writing something to NVRAM?)
@jturner
Copy link

jturner commented Apr 9, 2015

I was able to get the trackpad to work without issue and I'm able to boot OpenBSD without rEFInd. My only remaining issue is I'm not able to get past cpu1 detection without booting with --nextonly every time. Which isn't the end of the world.

@gonzalo-
Copy link

anyone boot OpenBSD on a macbookpro12,1?

@brycv
Copy link

brycv commented Dec 6, 2015

With 5.8-current as of basically December 1, the MacBookPro12,1 works reasonably well. Mark Kettenis has one and has been fixing a bunch of things so it runs reasonably well. Broadwell graphics still has some bugs. You can boot a USB install disk that's been created with UEFI boot support and then install the same way. See Jasper's post for details on how to do the UEFI install. The installer has also gained lots of UEFI support but I haven't tested that yet.

@vanhecke
Copy link

Thanks for the updating the document to -current @jcs!
Repartitioning the SSD never works for me in OSX, it does work in recovery mode.

I'm having trouble with the last step:

mkdir /efi;
mount -t msdos /dev/sd0i /efi;
mount_msdos: /dev/sd0i on /efi: Device not configured

-> disklabel -h only shows the RAID partition.

I rebooted anyhow and refind was still showing the original MSDOS partition I created in recovery mode.
I just pick that option and openbsd boots fine, but no video (not even VESA, I used to get VESA in 5.6 and 5.7).

It seems like OpenBSD didn't write anything to the ESP partition.. (Because of the disk encryption maybe?)

Xorg.log : https://gist.github.com/aa816aa9745fad2ee72d
dmesg: https://gist.github.com/ccd823c4db36cf949816

@alexjj
Copy link

alexjj commented Dec 12, 2015

Last time I dual booted a Mac (it was linux) I muted the volume in OS X and that stopped the start up chime. Doesn't address your TODO specifically though.

@gyakovlev
Copy link

Hey @vanhecke, I had the same problem. Cannot mount sd0i from within OpenBSD.
The solution is to mount the EFI partition to /Volumes/EFI in OS X and place appropriate BOOTX64.EFI to /Volumes/EFI/EFI/BOOT/
No need to install refind, just hold option on boot and choose non osx partition.

@jcs
Copy link
Author

jcs commented Mar 15, 2016

@gyakovlev @vanhecke The problem you probably ran into is that Apple's Disk Utility chooses to create a hybrid MBR when adding an MSDOS partition, rather than just creating an MBR with one big EE/protective partition. This causes OpenBSD's fdisk and kernel to see the disk as MBR and ignore the GPT, and since the hybrid MBR doesn't have an EFI system partition sliced out (this is different than the EE/protective partition), OpenBSD doesn't recognize a FAT partition anywhere.

The workaround for this (from krw@) is to choose HFS+ when slicing off a partition for OpenBSD, which should cause Disk Utility to not use a hybrid MBR but instead just create one big EE/protective partition in the MBR, which will allow the OpenBSD kernel and fdisk to see the disk as GPT, which will cause the FAT partition to show up (sd0i or similar) and allow the installer to mount the EFI partition. I've updated the notes here to recommend choosing HFS+ for the new partition type in Disk Utility.

@gyakovlev
Copy link

@jcs you are right. I've screwed my installation doing some wicked triple-boot encryption.

Had to do a clean OSX install and chose HFS+ partition while claiming space for other OSes.

There is no Hybrid MBR, only protective EE.

sudo fdisk /dev/disk0                                                                                            1 ↵  1084  15:28:49
Password:
Disk: /dev/disk0    geometry: 60821/255/63 [977105060 sectors]
Signature: 0xAA55
         Starting       Ending
 #: id  cyl  hd sec -  cyl  hd sec [     start -       size]
------------------------------------------------------------------------
 1: EE    0   0   1 - 1023 254  63 [         1 -  977105059] <Unknown ID>
 2: 00    0   0   0 -    0   0   0 [         0 -          0] unused
 3: 00    0   0   0 -    0   0   0 [         0 -          0] unused
 4: 00    0   0   0 -    0   0   0 [         0 -          0] unused

Will try the OpenBSD installation soon and report if 5.9 or current installer worked for me.

@systeemkabouter
Copy link

Who else is here in 2019 and used this to successfully install OpenBSD 6.5 next to MacOS Mojave on his late 2013 Macbook?

Just to let anyone know that these excellent instructions are very valid for the above combo. Nice. And thanks a lot

@tbaumgard
Copy link

A few notes for those seeing this in early 2020:

  • I got this to work using macOS Catalina and OpenBSD -current as of 2020-02-25. Things function properly as far as I can tell.
  • The Broadcom wireless card from the MacBook Pro (BCM943602CS) mentioned didn't work in at least the 2012 version of the 11" MacBook Air I have. The card is too long and the antenna cables don't reach. I suspect it only works in the 13" models, but I'd be happy to be proven wrong.
  • I didn't need to mount the UEFI ESP partition to move the bootloaders (step 6 at the time of writing) or install rEFInd. Simply holding down alt/option after hearing the boot chime will show an EFI Boot drive that corresponds to OpenBSD. rEFInd allows for far more customization, but I didn't need that for my purposes. gyakovlev's comment tipped me off to this.
  • It appears that synclient(1) may no longer be useful for configuring the trackpad based on what I've seen elsewhere on the internet and what it returns on my laptop. It appears wsconsctl(8) is meant to be used now, but I've really only ever used OpenBSD in a server environment and could be wrong. I got natural scrolling and two/three-button emulation through tapping by setting mouse.reverse_scrolling=1 and mouse.tp.tapping=1 in /etc/wsconsctl.conf(5). Is there a way to get this working with a trackpad click rather than a tap to mimic macOS behavior?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment