Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- System security overview
- Signed system volume security
- Secure software updates
- Rapid Security Responses
- Operating system integrity
- BlastDoor for Messages and IDS
- Lockdown Mode security
- System security for watchOS
- Random number generation
- Apple Security Research Device
-
- Services security overview
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
- Payment authorization with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
- Secure Apple Messages for Business
- FaceTime security
- Glossary
- Document revision history
- Copyright
Boot modes of an Intel-based Mac with an Apple T2 Security Chip
An Intel-based Mac with an Apple T2 Security Chip has a variety of boot modes that can be entered at boot time by pressing key combinations, which are recognized by the UEFI firmware or booter. Some boot modes, such as Single User Mode, won’t work unless the security policy is changed to No Security in Startup Security Utility.
Mode | Key combo | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
macOS boot | None | The UEFI firmware hands off to the macOS booter (a UEFI application), which hands off to the macOS kernel. On standard booting of a Mac with FileVault enabled, the macOS booter presents the Login Window interface, which takes the password to decrypt the storage. | |||||||||
Startup Manager | Option (⌥) | The UEFI firmware launches the built-in UEFI application that presents the user with a boot device selection interface. | |||||||||
Target Disk Mode (TDM) | T | The UEFI firmware launches the built-in UEFI application that exposes the internal storage device as a raw, block-based storage device over FireWire, Thunderbolt, USB, or any combination of the three (depending on the Mac model). | |||||||||
Single User Mode | Command (⌘)-S | The macOS kernel passes the Note: If the user exits the shell, macOS continues boot to the Login Window. | |||||||||
recoveryOS | Command (⌘)-R | The UEFI firmware loads a minimal macOS from a signed disk image (.dmg) file on the internal storage device. | |||||||||
Internet recoveryOS | Option (⌥)-Command (⌘)-R | The signed disk image is downloaded from the internet using HTTP. | |||||||||
Diagnostics | D | The UEFI firmware loads a minimal UEFI diagnostic environment from a signed disk image file on the internal storage device. | |||||||||
Internet Diagnostics | Option (⌥)-D | The signed disk image is downloaded from the internet using HTTP. | |||||||||
Windows boot | None | If Windows has been installed using Boot Camp, the UEFI firmware hands off to the Windows booter, which hands off to the Windows kernel. | |||||||||