macOS 10.13 High Sierra has now been released, and one of the major features is a new filesystem called APFS.  APFS is not just a filesystem to replace HFS+, but also replaces Core Storage as the volume manager.  How does this affect Boot Camp?  Let’s dive in a bit and look at the progression of partitioning changes since Boot Camp was introduced.  I’ll then discuss how this affects High Sierra and finally some guesses on where this is all leading.

In the beginning

When Mac OS X was introduced, the partition scheme was the GUID Partition Table, or GPT.  Intel-based Macs are different from PPC-based Macs, as they used EFI to boot the operating system.  Earlier builds of the original version of Mac OS X could boot on FDisk partitioned disks, but past those earlier builds, GPT was the partition scheme that all Intel-based Macs started with. The specification for EFI requires an EFI partition at the start of the disk, and Apple-partitioned disks had a 200 MB empty EFI partition.  After the EFI partition was a HFS+ partition that contained Mac OS X.  The EFI partition did not contain the boot loader for Mac OS X.  The boot loader was located on the HFS+ volume in /System/Library/CoreServices.

When Boot Camp was introduced to the Mac, Windows XP was all the rage.  Windows had a very different way of booting, based on a Master Boot Record (MBR), sometimes refered to this as “Legacy Booting”.  EFI can be compatible with legacy booting, but on Windows PCs, the firmware is set to tell EFI to boot in Legacy mode to an MBR disk.  Since Windows XP was expecting an MBR partitioned disk when booting, a Boot Camp partition needed to exist on a GPT partitioned disk, but also look like a MBR partitioned disk.

Boot Camp booting solved this problem by modifying the guard (or protective) MBR to look like a standard MBR.  The guard MBR is part of the GPT specification that prevents legacy disk utilities as seeing GPT disks as unformatted.  The guard MBR is a single partition MBR that lists the single partition as a type of “Unknown” and covers the entire disk.  A legacy disk manager can read the guard MBR as a standard MBR but would only show an unknown type for the entire disk.  Apple leveraged the guard MBR in the GPT specification and created a hybrid MBR.  The hybrid MBR maps the first 4 GPT partitions to the 4 MBR partition (the MBR only supports 4 partitions, called “primary partitions”). Since Mac OS X GPT partitioned disks only had 2 partitions (the EFI partition and the HFS+ partition), it was a direct mapping.  When Windows XP booted, the Mac EFI firmware passed control to the boot code in the same disk sector as the hybrid MBR (which is the first sector on the disk).  This boot code looked up what partition was flagged in the MBR, and then passed control to the the volume boot record that was on the flagged partition.  Windows then booted up in Legacy mode.

EFI Bootable Windows

With the release of Windows 8, there was a push to start EFI booting Windows client machines.  PC BIOS had long supported EFI, but it was usually set to emulate legacy booting on Windows clients (though Windows servers tended to favor EFI booting).  Apple updated the Mac firmware to support EFI booting of Windows, along with legacy booting (Macs around 2013 could boot Windows in both Legacy and EFI modes).

Booting Windows in a Boot Camp partition via EFI was very different from legacy booting.  The hybrid MBR was not longer required (in fact, if it was there, the Mac tried to legacy boot).  When the Windows volume was selected, control was passed off to the Windows boot loader on the EFI partition (that first partition that gets created when formatting as GPT). This boot loader reads the Window’s BCD (Boot Configuration Data) file that contains the GUID of the partition of the Windows install.  Control is then passed to the boot loader on the Windows install and booting continues into Windows.

Core Storage and Fusion Drives

With the introduction of Fusion drives with Mac OS X 10.7 Lion, where a Solid State drive and spinning platter disk are combined to be presented as a single volume, things got a bit more complicated.  Core Storage was introduced as a volume manager to support this feature (as well as other features such as File Vault 2 and the recovery partition).  Windows was unaware of Core Storage and so the Windows partition needed to be created outside of Core storage.  Mac OS X still used HFS+ as the filesystem, and a second HFS+ partition was added. The second HFS+ partition was the Recovery Partition, and was created to support installing the OS from the App Store, as well as booting to a partition that was encrypted with File Vault 2.  For Boot Camp, this meant that there were now 4 partitions on most drives: EFI, Recovery, Mac,  and a Boot Camp (Windows) partition.  Legacy could still work for older versions of Windows (since the MBR contained only 4 primary partitions).

EFI only Macs

Around 2015, Apple released Macs that only supported EFI booting of Windows.  Only Windows 8 or later was supported for booting Windows in Boot Camp.   The Info.plist inside the Boot Camp Assistant outlines the starting models that are UEFI only:

<key>UEFIOnlyModels</key>
<array>
     <string>MacBook8,1</string>
     <string>MacBook7,1</string>
     <string>MacBookPro11,4</string>
     <string>MacPro6,1</string>
     <string>iMac16,1</string>
</array>

The Info.plist also gives some great information on what models supported 32-bit Windows and installation via a thumb drive versus just an ISO (see my post on Apple Boot Camp No Longer Requires USB Flash Drive to Install Windows in El Capitan for more info on that.)

SIP / macOS 10.11 El Capitan

In macOS 10.11 El Capitan, Apple introduced System Integrity Protection (SIP) that prevents even root from doing certain operations.  Two specific protections related to Boot Camp were included with SIP: Setting the Startup Disk and writing the Master Boot Record.

Startup Disk

Prior to 10.11, setting the startup disk was usually done by using the “bless” tool on the command line (or via the Startup Disk Preference Pane).  SIP required any app that set the startup disk to have a special entitlement and bless did not have that entitlement.  Another tool, systemsetup, had the correct entitlement, but systemsetup would only set the startup disk for SIP protected versions of macOS.  This meant that only 10.11 and 10.12 macOS versions could be selected.  You could no longer select the startup disk for Windows via the command line or programmatically.  You could still set the startup disk via the Startup Disk Preference Pane or hold down the option during startup.  You could also disable SIP via the recovery partition.

Writing the Master Boot Record

Writing the Master Boot Record requires direct access to the disk. Any process that can write the Master Boot Record can write to any data on the disk.  This was prevented by SIP so a process couldn’t change system files by writing directly to the disk. This also meant that a disk that was set up with a hybrid master boot record could not be changed to a guard master boot record.  This doesn’t seem like a big deal, since most modern Macs (since 2013) could boot Windows via EFI.  However, when creating a Boot Camp partition, the disk arbitration framework created a hybrid master boot record whenever a new FAT or exFAT partition was created (either with Disk Utility, Boot Camp Assistant, or the diskutil command line).  This prevents Windows from booting in EFI mode since the existence of a hybrid master boot record told the firmware to boot Windows in Legacy mode.  Recent Macs only supported EFI booting of Windows, so booting would fail.  To resolve this, SIP had to be disabled to write a new Master Boot Record (or boot into the Windows installer and it would correct the issue as well during the installation).

APFS / macOS 10.13 High Sierra

Which brings us to macOS 10.13 High Sierra.  macOS 10.13 High Sierra introduced changes to the filesystem, volume manager, the partition setup, and SIP.

The new filesystem modernizes the file system on the Mac and introduces a new volume manager. Both the file system and the volume manager are named APFS.  The recovery partition is no longer a separate GPT partition, but is now included in the AFPS volume manager.  The GPT partition table is simplified: EFI, APFS, and the Boot Camp (Windows) partition.  Disk Utility (including the command line utility diskutil) has been updated to correctly re-partition APFS and create FAT/exFAT partitions outside the APFS volume manager. In fact, the core storage commands are nearly identical to the APFS command in the command line diskutil.  For instance, here is how you create a Boot Camp partition in Core Storage and APFS:

diskutil cs resizestack / 100GB MS-DOS DOS 0b

diskutil apfs resizeContainer /dev/disk0 100GB MS-DOS DOS 0b

The good news is that when a partition is created as FAT or exFAT, a hybrid MBR is no longer written, and Windows is not prevented from booting in EFI mode. SIP also was tweaked so that root could no longer read the Master Boot Record (or directly from the raw disk).

Looking to the future / Secure Boot

There is lots of signs that Apple is going to be supporting Secure Boot for macOS in the near future.  macOS 10.13 High Sierra has a private framework called SecureBoot.bundle.  The Boot Camp Assistant entitlements file contains a new key that suggests secure booting for Windows:

<key>com.apple.private.EnableMSSecBoot</key>
<true/>

This implies a couple of things for Secure Boot.  First, the EFI firmware on new Macs (and potentially a firmware update to existing Macs) would include an Apple-signed certificate that verifies the EFI boot loader (which may or may not still reside in /System/Library/CoreServices).   The certificates could be stored in the secure enclave that is currently in TouchBar Macs or in the EFI firmware.

Second, I would also expect that the EFI firmware would contain the Microsoft certificate that would allow Windows 10 to secure boot.  The systemsetup command would then allow any trusted EFI boot loader to be selected.

I would be surprised if Apple allowed you to add your own certificates that are trusted, but it could be a process that is only allowed in the Recovery Partition.  I also expect that Apple will only trust the Microsoft certificate for booting Windows, and not the Microsoft certificate that allows PCs to trust 3rd Party signed certificates.

High Sierra is the start of some major changes associated with the disk, including a new file system and a new volume manager. Boot Camp is still very much supported with the changes.  High Sierra sets the stage for changes in booting both macOS and Windows.