Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
View
Go to last post Go to first unread
Offline News  
#1 Posted : Thursday, November 13, 2014 11:19:59 PM(UTC)
News


Rank: Member

Reputation:

Groups: Administrators, Registered
Joined: 9/23/2007(UTC)
Posts: 25,073

Was thanked: 3 time(s) in 3 post(s)
One of the disadvantages to buying an Apple system is that it generally means less upgradeability and flexibility than a system from a traditional PC OEM. Over the last few years, Apple has introduced features and adopted standards that made upgrading or using third-party hardware progressively more difficult. Now, with OS X 10.10 Yosemite, the company has taken another step down the path towards total vendor lock-in and effectively disabled support for third-party SSDs.

We say "effectively" because while third-party SSDs will still work, they'll no longer perform the TRIM garbage collection command. Being able to perform TRIM and clean the SSD when its sitting idle is vital to keeping the drive at maximum performance -- without it, an SSD's real world performance will steadily degrade over time. Exactly how far depends a great deal on workloads, available free space, and how much idle garbage collection the drive controller performs independently of the OS TRIM command.

TRIM support has been baked into Windows and OS X for long enough that new SSDs aren't typically tested to evaluate the impact of not running TRIM has on the drive. Tests from 2010-2011 show that performance could degrade by 30-50% between a tortured SSD without TRIM and a drive where TRIM had run. Letting the drive perform its own garbage collection without running TRIM typically improved performance, but rarely back to baseline.

Why Apple Removed TRIM Support From Third-Party Drives:

The first thing to know is that Apple has long had a history of only enabling TRIM for Apple drives by default. If you installed a third-party SSD, you had to use a third-party tool to enable TRIM functionality. This was relatively easy to do, and there are a number of guides dedicated to showing users how to install an SSD of their own choosing while still enabling TRIM support.

What Apple did with OS X 10.10 is introduce kext (Kernel EXTension) driver signing. Kext signing means that at boot, the OS checks to ensure that all drivers are approved and enabled by Apple. It's conceptually similar to the device driver checks that Windows performs at boot. If a third-party SSD is detected, the OS will detect that a non-approved SSD is in use, and Yosemite will refuse to load the appropriate driver.

Attempt to boot a third-party SSD with Yosemite installed, and at least some users are apparently being met with a grey stop sign, as shown below:



If you're feeling generous, Apple likely made this change to improve device security under OS X. If you're feeling not-so-generous, Apple made this change to protect its profit margins. Apple charges $800 to upgrade a $1999 MacBook Pro from 256GB to 1TB of PCIe storage; our price checks suggest that drive should cost $800 if purchased separately. A 256GB SSD upgrade to a Mac Mini costs $200 -- more than you'd pay for a 256GB SSD separately.

There's a way to disable the driver signing that causes this problem, but here's the kicker -- it's an all-or-nothing procedure that requires you shut off the entire security system. You can either have TRIM support, or you can have driver security, but you can't have both.

The Shortsightedness of Apple's Approach

Here's why this is such a bad idea. Apple is now guaranteeing that a subset of its users -- typically its power users and biggest spenders -- are going to be forced to disable important security systems to make full use of their hardware. This comes as more iPhone attacks that use OS X as a vector are hitting the wild.

Microsoft, for all its many and numerous faults, always did one thing right when it came to protecting its users:  Even if you're a Windows pirate, you get full access to security updates. The company didn't make this decision out of the goodness of its heart -- it recognized that the herd immunity is as valuable online as it is in real life. Every user running with kext signing disabled is a potential attack vector.

Barring a change to Apple's own policies, there's little that third-party software vendors can do. There are more details here, but the bottom line is that users now have to choose -- you can have better security, or you can have better SSD performance at a reasonable price, but you can't have both on an Apple system.
Offline basroil  
#2 Posted : Friday, November 14, 2014 9:12:47 AM(UTC)
basroil


Rank: Member

Reputation:

Groups: Registered
Joined: 6/19/2013(UTC)
Posts: 84

"If you're feeling generous, Apple likely made this change to improve device security under OS X."

Enabling an INDUSTRY STANDARD on third party disks cannot be a security related issue. TRIM is an entirely hardware based function (well, SSD controller level, which is software technically) that cannot interfere with any encryption or data integrity!

Offline Dave_HH  
#3 Posted : Friday, November 14, 2014 10:08:04 AM(UTC)
Dave_HH


Rank: Advanced Member

Reputation:

Groups: Administrators, Editors, Moderator, Registered
Joined: 7/12/2004(UTC)
Posts: 3,689
Man
Location: United States, Massachusetts

Thanks: 1 times
Was thanked: 11 time(s) in 10 post(s)

Totally agreed. This is nothing but the same old stereo-typical Apple. You have to come to us for everything, every dollar, under the guise of making a product better.

Offline LLeCompte  
#4 Posted : Friday, November 14, 2014 10:33:44 AM(UTC)
LLeCompte


Rank: Member

Reputation:

Groups: Registered
Joined: 12/2/2010(UTC)
Posts: 443

Apple is getting really insane with their stuff. 3rd party SSDs? Apple doesnt make it's own SSDs so every SSD is a 3rd party. I guess in apple's eyes even if you buy their stuff they still own it.

Offline JonathanAzrielant  
#5 Posted : Sunday, November 16, 2014 1:39:46 PM(UTC)
JonathanAzrielant


Rank: Member

Reputation:

Groups: Registered
Joined: 11/16/2014(UTC)
Posts: 1

There's an open question in your reporting, Joel: Does Apple provide hardware developers with a way to submit their kernel extensions for Apple's review and approval? If so, this move is a bit less severe than your article makes it sound and more like Apple's policies surrounding the App Store; Apple is bringing a "walled garden" experience to hardware drivers.

Offline TomJepp  
#6 Posted : Sunday, November 16, 2014 3:00:36 PM(UTC)
TomJepp


Rank: Member

Reputation:

Groups: Registered
Joined: 11/16/2014(UTC)
Posts: 1

This article is a bit misleading.

Apple have never supported TRIM on third-party SSDs. This dates from the very first introduction of SSDs into Macs.

The method previously used to enable TRIM on third-party SSDs was the use of a patch to the Apple AHCI driver. This patch removed the check for an Apple approved SSD and enabled TRIM on all SSDs.

Yosemite enables kernel extension signing by default. This patch can still be applied to Yosemite, but it will not load unless kernel extension signing is disabled. It isn't reasonable to expect Apple to sign an unauthorised modified version of their own driver.

Most people who have needed to enable TRIM use an application called TRIM Enabler - this has had an update for Yosemite and can automatically disable kernel extension signing as part of the patch.

Offline Joel H  
#7 Posted : Sunday, November 16, 2014 8:19:33 PM(UTC)
Joel H


Rank: Member

Reputation:

Groups: Administrators, Registered
Joined: 7/16/2009(UTC)
Posts: 1,089

Tom,

Right. Apple previously didn't *enable* this function, but they didn't take security actions to make it impossible, either. Now, they have. So now, if you want to enable TRIM, you have to install a patch or take action manually that disables the *entire* driver signing mechanism.

That's bad design.

Now, you can argue that you don't make the system any less secure under OS X 10.10 than it was under OS X 10.9, since you're disabling a feature that wasn't previously available. Nonetheless, if the goal is to improve the security environment for all users, you need to offer security features that users don't need to disable to keep using their previously purchased hardware.

That's the real problem here. And while I absolutely agree that Apple didn't previously support this mode directly, they're now forcing users to pick between a less secure operating mode or buying new, Apple approved hardware at Apple-decided prices.

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.