Startup Security Utility overview
Startup Security Utility is a replacement to the previous Firmware Password Utility. On Mac computers with an Apple T2 Security Chip, it handles a larger set of security policy settings. Mac computers without a T2 chip continue to use Firmware Password Utility. The utility is accessible by booting into recoveryOS and selecting Startup Security Utility from the Utilities menu. The advantage of putting critical system security policy controls (such as secure boot or SIP) in the recoveryOS is that the entire OS is integrity checked. This ensures that any attacker code that has broken into the Mac can’t trivially impersonate the user for purposes of further disabling security policies.
Critical policy changes now require authentication, even in Recovery mode. This feature is available only on Mac computers containing the T2 chip. When Startup Security Utility is first opened, it prompts the user to enter an administrator password from the primary macOS installation associated with the currently booted macOS Recovery. If no administrator exists, one must be created before the policy can be changed. The T2 chip requires that the Mac computer is currently booted into macOS Recovery and that an authentication with a Secure Enclave–backed credential has occurred before such a policy change can be made. Security policy changes have two implicit requirements. macOS Recovery must:
Be booted from a storage device directly connected to the T2 chip, because partitions on other devices don’t have Secure Enclave–backed credentials bound to the internal storage device.
Reside on an APFS-based volume, because there is support only for storing the Authentication in Recovery credentials sent to the Secure Enclave on the “Preboot” APFS volume of a drive. HFS plus-formatted volumes can’t use secure boot.
This policy is only shown in Startup Security Utility on Mac computers with an Apple T2 Security Chip. Although the majority of use cases shouldn’t require changes to the secure boot policy, users are ultimately in control of their device’s settings, and may choose, depending on their needs, to disable or downgrade the secure boot functionality on their Mac.
Secure boot policy changes made from within this app apply only to the evaluation of the chain of trust being verified on the Intel processor. The option “Secure boot the T2 chip” is always in effect.
Secure boot policy can be configured to one of three settings: Full Security, Medium Security, and No Security. No Security completely disables secure boot evaluation on the Intel processor and allows the user to boot whatever they want.