Upgrading a FileVault 2 encrypted Mac to 10.9 – Differences between CreateOSXInstallPkg and Apple’s Mavericks installation methods
I was recently wrong on the internet again, but as always making a mistake gave me a chance to learn from it. What I learned was the method Mac admins choose to use upgrading their Macs to Mavericks may have behavior that apply specifically to FileVault 2-encrypted Macs. See below the jump for details.
There are two main ways that Mac admins are generally upgrading Macs to Mavericks:
- createOSXInstallPkg: createOSXInstallPkg is a tool created by Greg Neagle. It is used to build individual installer packages that can install OS X Lion, Mountain Lion or Mavericks.
- Apple’s Mavericks installation methods: Apple’s installation methods include using Install OS X Mavericks.app, install media created by using Apple’s createinstallmedia tool and NetInstall / NetRestore .
When upgrading a FileVault 2-encrypted Mac to Mavericks, you may see the following behavior when rebooting as part of the upgrade process:
createOSXInstallPkg – The Mac will boot to the FileVault 2 pre-boot login screen and require an account password to unlock. Once provided, the Mac boots and the upgrade process will proceed.
Apple’s Mavericks installation methods – The Mac will reboot without stopping at the pre-boot login screen during the upgrade process. Once the upgrade process is completed, the Mac will resume the expected behavior of booting to the FileVault 2 pre-boot login screen.
The difference has to do with which OS’s installation method is being used. Greg reverse-engineered 10.7’s installation process (see timestamp [18:43:31 UTC]) when he built createOSXInstallPkg (originally known as InstallLionPkg). That installation method does not include the Apple Mavericks installer’s ability to store an unlock key in system memory or the SMC so the disk is not automatically unlocked at boot. With the disk being locked, the Mac will boot to the FileVault 2 pre-boot login screen so that it can be unlocked. To help illustrate this, I’ve made a video showing the behavior.
Apple’s installation method does include putting an unlock key in memory, so the Apple Mavericks installer will keep supplying the unlock key as needed until the upgrade process is completed. At that point, the process that stores the key in memory stops running and the Mac goes back to the expected boot behavior where the Mac boots to the FileVault 2 pre-boot login for authentication before unlocking the disk. To help illustrate this, I’ve made a video showing the behavior.
When upgrading a FileVault 2-encrypted Mac to Mavericks, you may see the following behavior if the disk being upgraded is in the process of encrypting or decrypting:
createOSXInstallPkg – Installation of the createOSXInstallPkg installer fails.
Apple’s Mavericks installation methods – Upgrade proceeds without errors.
The difference here has to do with lines 835 – 858 of the postflight script in a createOSXInstallPkg-built OS X installer.
target_volume_is_corestorage_or_raid = False # check the install volume to see if it's CoreStorage cs_state = getCoreStorageStatus(installvolumepath) if cs_state in ['Encrypted', 'Not encrypted']: target_volume_is_corestorage_or_raid = True # make sure we can find the Apple_Boot helper partition before # we continue helper_partitions = findBootHelperPartitions(installvolumepath) if not helper_partitions: cleanupFromFailAndExit( 'Cannot find a Recovery partition set as a boot helper for ' 'CoreStorage volume %s. Cannot continue.' % installvolumepath) print ('%s appears to be a CoreStorage volume.' % installvolumepath) elif cs_state == 'Not CoreStorage': target_volume_is_corestorage_or_raid = False else: # volume is being converted to or from Core Storage # we should not install now. cleanupFromFailAndExit( 'Cannot install to CoreStorage volume %s in the middle of ' 'conversion. Current state is: %s.\nPlease wait for conversion ' 'to complete, restart, and try again.' % (installvolumepath, cs_state))
As a safety check, this section of the postflight script checks to see if target drive has a CoreStorage volume and if it is in the process of converting. A converting CoreStorage volume means the drive is either being encrypted or decrypted.
If a converting CoreStorage volume is detected, this section of the postflight script prevents the install process from proceeding. In turn, the installer stops and reports an installation failure. To help illustrate this, I’ve made a video showing the behavior.
Apple’s Mavericks installation methods does not include this check and proceeds without errors on a converting CoreStorage volume. To help illustrate this, I’ve made a video showing the behavior.