Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Data Storage OS X Upgrades Apple

Apple Disables Trim Support On 3rd Party SSDs In OS X 327

MojoKid (1002251) writes One of the disadvantages to buying an Apple system is that it generally means less upgrade flexibility than a system from a traditional PC OEM. Over the last few years, Apple has introduced features and adopted standards that made using third-party hardware progressively more difficult. Now, with OS X 10.10 Yosemite, the company has taken another step down the path towards total vendor lock-in and effectively disabled support for third-party SSDs. We say "effectively" because while third-party SSDs will still work, they'll no longer perform the TRIM garbage collection command. Being able to perform TRIM and clean the SSD when it's sitting idle is vital to keeping the drive at maximum performance. Without it, an SSD's real world performance will steadily degrade over time. What Apple did with OS X 10.10 is introduce KEXT (Kernel EXTension) driver signing. KEXT signing means that at boot, the OS checks to ensure that all drivers are approved and enabled by Apple. It's conceptually similar to the device driver checks that Windows performs at boot. However, with OS X, if a third-party SSD is detected, the OS will detect that a non-approved SSD is in use, and Yosemite will refuse to load the appropriate TRIM-enabled driver.
This discussion has been archived. No new comments can be posted.

Apple Disables Trim Support On 3rd Party SSDs In OS X

Comments Filter:
  • by SuperKendall ( 25149 ) on Sunday November 16, 2014 @12:58PM (#48397181)

    If you read the rest of the article, you find that you can simply disable the driver loading security to have it working again.

    The article paints this as a huge security issue, but why? Anyone putting in a custom SSD is also probably technically astute enough not to download a KEXT that ostensibly puts a cat following your cursor or what have you.

    Cn anyone reasonably argue that having a system highly secure for non-technical users with easy workarounds for actually technical users is a bad compromise? The people who are not technical need all the help they can get.

    Also - couldn't you actually just sign the drivers that are needed for trim? What prevents that?

    • that are needed for trim? What prevents that? Likely just time. But that doesn't make for an alarming headline.
    • by AmiMoJo ( 196126 ) * on Sunday November 16, 2014 @01:05PM (#48397231) Homepage Journal

      Why do they even need a special driver for a third party SSD? It's a SATA device, and most operating system have a generic SATA storage device driver that they use for everything.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Generic SATA storage devices don't support TRIM. That said, TRIM is a hack for consumer SSD's of a few generations ago that allows getting reasonable performance without overprovisioning sectors. Enterprise SSDs have never depended on that. They use more overprovisioning so don't need TRIM. SSD has gotten cheap enough that this approach can also be used in consumer drives these days.

        • Do you know if this applies to the Samsung 840 EVO series?

          • I'm wondering about that myself. Early benchmarks showed that the 840 EVO benefits from TRIM, but that drive also had wonky firmware [anandtech.com] that was causing read degradation. Could the old firmware have accounted for some of the benchmark problems?

            Side note: I applied the firmware upgrade myself last week and it went through without a hitch. YMMV, but I had an easy time of it.

        • by Improv ( 2467 )

          That's not what TRIM is for.

        • The generic MS drivers know how to see if the drive supports TRIM and send the commands if it does. That's the point of TRIM: It is an ATA standard command, so special software isn't needed.

          In fact, in Windows all you use is the generic drivers. I mean you may install drivers for your SATA controller, but not for your drive. My laptop has a Samsung 840 Pro in it, with Samsung's Magician installed. However the drivers in use are disk.sys, partmgr.sys (both Microsoft files) and iastorf.sys (Intel's file). No

    • by DRJlaw ( 946416 ) on Sunday November 16, 2014 @01:06PM (#48397239)

      If you read the rest of the article, you find that you can simply disable the driver loading security to have it working again.

      The article paints this as a huge security issue, but why?

      Because you cannot simply add your own key, but you have to disable all driver signing in order to use one non-approved driver?

      Cn anyone reasonably argue that having a system highly secure for non-technical users with easy workarounds for actually technical users is a bad compromise?

      Yes. See every argument ever about UEFI secure boot on PCs intended to run Windows 8.

    • by JBMcB ( 73720 )

      Can't you run TRIM manually as well? Back when Linux TRIM support sucked you just ran it as a CRON job every once and a while.

    • by Golden_Rider ( 137548 ) on Sunday November 16, 2014 @01:40PM (#48397467)

      Also - couldn't you actually just sign the drivers that are needed for trim? What prevents that?

      As the author of the popular "trim enabler" software (which patches the original apple drivers and so causes the original drivers to fail the kext signing check) puts it:

      "all of Apple’s AHCI SATA drivers are closed source and undocumented, which makes it impossible for me to create my own Trim driver and get it signed."

      Which is also the reason why there are no trim drivers available from hardware manufacturers like Samsung, etc. No access to Apple's driver documentation - no signed trim drivers.

    • by silfen ( 3720385 )

      Cn anyone reasonably argue that having a system highly secure for non-technical users with easy workarounds for actually technical users is a bad compromise? The people who are not technical need all the help they can get.

      https://yourlogicalfallacyis.c... [yourlogicalfallacyis.com]

      Also - couldn't you actually just sign the drivers that are needed for trim? What prevents that?

      The problem seems to be that Apple's driver takes over handling of these drives while at the same time refusing to TRIM them. If a third party could circumvent

    • by blueg3 ( 192743 )

      The article paints this as a huge security issue, but why?

      Because loading kernel extensions is one of the easiest ways of turning a user-mode code-execution exploit into a kernel-mode code-execution exploit. Those are serious business.

      People like to treat exploits in a vacuum and handwave around the other components of a full-stack exploit. Vulnerability in Safari that enables an attacker to make you silently download and run a native executable? No problem, it's only running in user mode. Vulnerability in system configuration that enables loading of unsigned kext

  • by wes33 ( 698200 ) on Sunday November 16, 2014 @01:00PM (#48397189)

    It can be done if you're willing to disable kext security check

    see http://www.cindori.org/trim-en... [cindori.org]

    • by cfalcon ( 779563 ) on Sunday November 16, 2014 @01:06PM (#48397243)

      Could we mod up parent, or similar posts at least? I came in here with righteous anger at Apple and find it's just a simple procedure to reenable this thing if you have one of those. This is Apple actually being more security conscious. My fucking iPhone has a goddamned gray bar overlay because my background is too pretty so it nerfs it, and I have to use buggy Fleksy for Dvorak (which works as of this week), so could we save shitting on Apple for the things it actually does wrong, and not for legit security boosts that are user bypassable without hackery?

      The shenanigans that are possible to put in a driver, or in firmware, are hard to over emphasize. Any step towards being able to prevent a cleverly written hardware attack or up the cost of devel have merit, and while that's not worth losing user power over, this certainly isn't that.

      • Disabling the security check is a bad idea though. It's just better to run all your malware in userspace. :)

        You should not have to choose between using 3rd party hardware and having a secure system.
  • Ancient news (Score:5, Informative)

    by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Sunday November 16, 2014 @01:01PM (#48397201) Homepage Journal

    Apple has never enabled TRIM on non-OEM SSDs, which is probably the conservative and correct thing to do. If you're clever enough to install a new SSD, you're clever enough to enable it on your own (and presumably to know whether you should enable it, and whether it's even a benefit for your particular drive).

    The current workaround involved a single software vendor [cindori.org] who didn't sign their kexts. Apple's new security policy won't let you load random unsigned kernel modules unless you explicitly turn off the signature checking. While this is inconvenient for me personally - because I have a 3rd-party SSD and I used that software myself - on whole, I'd rather have a more secure OS than the dubious benefit of a possibly slightly faster SSD.

    • Its not 'more secure' if i have to drop ALL defenses for one driver. Apple should find a way to sign these, not force me out of a secure configuration. People replace HDDs in macs, they need to support it.
      • Apple should find a way to sign these

        They did [apple.com], at WWDC 2013. More to the point, I wonder why the Trim Enabler dev isn't signing his kext? Are there legitimate reasons, like he needs a special kind of thing that can't be signed using the provided tools, or is it because he doesn't want to pay for a dev license to sign the software he's selling? In a vacuum of information, there's not much point in speculating.

        People replace HDDs in macs, they need to support it.

        Why? Is TRIM empirically faster on your drive, or is this something you think you need?

        • by fnj ( 64210 )

          Your question has already been answered [slashdot.org], so you can stop wondering. No speculation is necessary.

          Hint: Trim Enabler is not a driver which has been "developed", it is something that applies a binary patch to the existing driver to remove the gratuitous checking for the string "APPLE SSD" [slashdot.org].

          So are you really asking what could be wrong with Apple categorically refusing to implement a standard ATA command that is essential to good SSD performance?

          • by j-beda ( 85386 )

            So are you really asking what could be wrong with Apple categorically refusing to implement a standard ATA command that is essential to good SSD performance?

            There have been a lot of references to various devices that do not actually follow that ATA command in a way that results in data integrety. There have also been a few references to refute the claim that TRIM support is essential to good SSD performance. Good "garbage collection" code in the SSD and sufficient overprovisioning can match system performance compared to systems with TRIM support.

    • You can always sign the kext yourself. You don't need an apple signature even, you just need a certificate chain thats in the system keychain.

      If done correctly, you maintain security completely.

  • Depends on the SSD (Score:5, Interesting)

    by khb ( 266593 ) on Sunday November 16, 2014 @01:02PM (#48397209)

    See http://blog.macsales.com/21641... [macsales.com] for an example of a properly designed SSD.

    kext signing is a GoodThing for security. Making the system less secure so that lazy implementors are protected isn't a good trade off.

    Apple *should* have provided a better upgrade experience so that users wouldn't be surprised, or end up with unbootable systems. Users that don't want to have kext protection CAN turn it off see http://www.cindori.org/trim-en... [cindori.org]

    To me this is akin to Apple's desupport of WPS ages ago. It took everyone else a while to figure out that WPS was a major security hole (indeed, its still there for most consumers).

    • by fnj ( 64210 )

      Overprovisioning and data compression are in no way a real substitute for TRIM. Anyone who thinks so is not thinking clearly.

      • ...

        You have no idea how SSDs work do you? TRIM is an absolutely shitty hack.

        The compression portion is just a free performance enhancement, send the drive entirely random, incompressible data and it will still perform great and that has no affect on trim like properties at all. Its stupid NOT to do compression. You can compress with an optimized controller a few orders of magnitude faster than you can write that same data to disk. Again, its stupid NOT to do compression.

        Your SSD controller ALREADY has t

    • See http://blog.macsales.com/21641 [macsales.com]... for an example of a properly designed SSD.

      Some would argue that a "properly designed" SSD is one which permits me to control the amount of over-provisioning, which is the primary reason you don't need to TRIM one of those drives. Other drives have controllers which do the same job.

      Users that don't want to have kext protection CAN turn it off see

      The problem there is that disabling kext signing is global. Apple should provide a facility to disable it for a single kext.

    • Apple *should* have provided a better upgrade experience so that users wouldn't be surprised, or end up with unbootable systems

      Users weren't surprised by unbeatable systems ... the upgrade overwrites the original hacked driver with a proper factory fresh one. It isn't until you reapply the hack, which modifies a signed driver without resigning it ... (dumb fuck move there) that you run into problems.

      So in reality, its working EXACTLY as its supposed to.

      If you're fucking with your drivers by making binary edits to them, you should know what you're doing and not be surprised when it blows up in your face.

  • Just to be clear... (Score:4, Informative)

    by Moridineas ( 213502 ) on Sunday November 16, 2014 @01:07PM (#48397255) Journal

    Apple, for whatever dumb reason, has _never_ enabled Trim on non-Apple branded SSDs. I do not know of any HDD manufacturers that ever provided any kernel extensions that would enable Trim for their drives, so effectively, third-party SSDs have never had any official trim support on OS X.

    Before Yosemite this has never been an issue. Any user who was able to install their own SSD could also download the handy TRIM Enabler [cindori.org] software that forced Trim on for non-Apple SSDs. One toggle switch, one reboot, piece of cake. I've been running multiple Macs since OS 10.6 with multiple brands of SSDs (OCZ, Samsung, Intel, etc) with absolutely no issues and no signs of performance degradation.

    The difference in Yosemite is, as the summary says, non-signed Kernel extensions cannot be loaded by default. Since non-signed kexts are blocked, software like Trim Enabler cannot load. You CAN override this behavior, but there are potential issues (see the Trim Enabler site for more information [cindori.org]).

    There is absolutely no reason to believe that the decision to make Yosemite require signed kexts has anything to do with the status of trim on non-Apple SSDs. I doubt trim even crossed anybody's minds during the decision-making process. Trim Enabler is just an unfortunate casualty of kext signing (which itself is probably not a bad thing!).

    tl;dr -- a rather hysterical take on an issue that DOES display some Apple stupidity. Just let us enable trim on non-Apple drives natively and there's no problem!

    • by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Sunday November 16, 2014 @01:22PM (#48397331) Homepage Journal

      Apple, for whatever dumb reason, has _never_ enabled Trim on non-Apple branded SSDs.

      I don't work for Apple, but... Older MacBook Pros came with instructions for replacing the RAM and hard drive. This was considered a normal thing to do and didn't void warranties. For example, my 2011 MBP has normal Phillips screws on the bottom, and it takes me about two minutes to have the back panel off and the RAM and HDD snap right out.

      SSDs have a history of notoriously horrible firmware. SandForce, anyone? Someone goes to Best Buy and comes home with a new SSD, pops it into their MBP, uses it for a month, and the thing asplodes and eats their data. They call Apple support to scream at them for writing a terrible OS that loses their data, and Apple loses money and reputation.

      I can imagine perfectly non-nefarious reasons why Apple would disable TRIM by default and only enable it for drives that have been explicitly tested for compatibility. Even today, you can still turn TRIM on for yourself as you described, at the price of reverting to pre-Yosemite security. I haven't done so on the 840 EVO I swapped into my MBP because I've judged that it's not worth the tradeoff for me, but it's an option. Trim Enabler even has a GUI to do it for you.

      I'd be hard pressed to come up with more of a manufactured controversy.

      • It's not just Apple. I just got a new Asus laptop for a family member. It needed full disk encryption software installed (Windows 8 Home edition disables bitlocker), and in anticipation of screwing up the boot process I naturally wanted to image the drive first. The bottom comes off with a few screws, but what did I find inside? not only is the RAM soldered to the mainboard, but the hard drive has a 'warranty void if removed' sticker placed atop one of the retaining screws. Fortunately I don't care about wa

      • I haven't done so on the 840 EVO I swapped into my MBP because I've judged that it's not worth the tradeoff for me, but it's an option.

        That's where I am right now. I'm running Yosemite on my 2007 3,1 mbp with SSD. I have not, so far, used Trim Enabler to disable kext signing. We'll see if it ever comes to that.

        I'd be hard pressed to come up with more of a manufactured controversy.

        Well, I think there is a legitimate complaint in that there is no official Apple-approved mechanism for enabling trim on a non-Apple installed drive, but yes, this is a manufactured scandal.

      • by AmiMoJo ( 196126 ) * on Sunday November 16, 2014 @05:24PM (#48398605) Homepage Journal

        Lack of TRIM support guarantees that most SSDs will perform badly after some time. By your reasoning Apple will be blamed for writing crappy software that performs badly, which in this instance is correct.

        There is absolutely no reason not to enable TRIM on all SSDs. Apart from a small number with bad firmware a few years ago they all benefit from it. Whitelisting because of bugs in a few specific models is dumb; if they really cared they would just blacklist the known bad ones.

        Face it, Apple are just trying to make people buy their extremely overpriced SSD upgrades.

  • by kithrup ( 778358 ) on Sunday November 16, 2014 @01:12PM (#48397271)
    hadn't shown multiple vendors who can't implement TRIM properly. Like the very popular SSD vendor whose firmware treated any TRIM as "TRIM all blocks" several years ago. Or the currently-shipping vendor whose firmware causes TRIM to delete a random block.
    • by fnj ( 64210 )

      Broken hardware is no excuse for refusing to implement a standard ATA command. Broken hardware is dealt with by caveat emptor and warranty. You don't try to design your product so that it can work around any kind of broken hardware which has been randomly swapped into it.

  • Easier solution (Score:5, Interesting)

    by m.dillon ( 147925 ) on Sunday November 16, 2014 @01:24PM (#48397343) Homepage

    It isn't really true that SSD performance goes down by a whole lot if TRIM is not enabled. SSD performance and firmware has undergone radical improvements every year and people have come to the mistaken belief that enabling TRIM is responsible for most of the performance and wear leveling improvements.

    TRIM has numerous problems, not the least of which being drives and/or filesystems which do not implement it properly. Because its use and effects can be seriously non-deterministic (even in a proper implementation), any bug in the drive firmware OR the filesystem in the use of TRIM can create serious corruption issues down the line when the drive actually decides to blow away some of the trimmed sectors. The TRIM command was badly conceived from the get-go.

    The easiest and safest solution to getting 95% of the benefit of TRIM without actually using TRIM is to simply partition a factory fresh drive to leave a bit of unused space at the end... say another 5-10%. As long as it isn't written to, the drive will use that space as part of its dynamic wear leveling mechanic. As long as the drive also does static wear leveling (which nearly all will do these days), you wind up with nearly all the benefit of TRIM without having to actually use TRIM. TRIM was more important in the days where static wear leveling was not well implemented (or implemented at all). It is less useful these days.

    -Matt

    • by kithrup ( 778358 )
      TRIM is an optimization; SSDs have to move data around. Marking a block as free means that it doesn't have to move that block around. (Also, of course, it knows it can use it for a later target or allocation.)

      SSDs are best considered as filesystems internally -- they have to do block allocation and mapping, and they have to run consistency checks (and repairs!) at startup. Right now, I think most (if not all) of the vendors use a synchronous garbage-collection scheme, which shows up as random spikes i
      • by tepples ( 727027 )
        Why can't the OS just zero out unused sectors in the background while the laptop is charging and have the controller compress those zeroes?
        • by kithrup ( 778358 )

          Most operating systems prefer to erase a block (of memory, or disk) when it is requested the first time after being unallocated; this is done for several reasons, the most notable being some significant performance improvement.

          Even with an SSD, writing zeroes to a block to indicate it is now free would cost performance. Nowhere near as much as with a spinning disk, but it'd be there. (Remember, while that I/O operation is being done, that's going to mean some other I/O operation isn't.)

          • That is definitely incorrect. TRIM issuance is a filesystem-level operation or a disk partitioning level operation, not an OS-level operation. Due to ordering constraints, the OS cannot safely manage TRIM in the manner you suggest. A filesystem can, but honestly I don't know any filesystems which use TRIM that way. Smart SSD firmware can also delay TRIM in that matter but I don't know any that actually do. The filesystem will either issue the TRIM semi-synchronously or it will issue the TRIM as part of

    • by fnj ( 64210 )

      Overprovisioning and TRIM are orthogonal solutions to the problems of decreasing performance and limited device life. Only a fool leaves his seatbelt unattached because he has an airbag.

  • Apple has introduced features and adopted standards that made using third-party hardware progressively more difficult.

    If they're adopting standards, then shouldn't that make using third-party hardware easier, since that hardware merely has to be standard-compliant?

  • The latest episode of ATP (www.atp.fm), they heard from an Apple Engineer that Apple disables it because most makes of SSD are very inconsistent on how the TRIM command is executed. And Apple being Apple, they don't particularly want to try every SSD known to man to "support" them.

    Best bet is to use a drive with a controller than does it for you. I'm sporting SSDs from OWC and I haven't had any issues in speed and I've had them for over two years now.

  • I think I will make apple product owners wait 3 extra rings before answering.
    Maby I can even move non apple users up the queue. That'd be fun!
  • by rwyoder ( 759998 ) on Sunday November 16, 2014 @11:20PM (#48400105)

    I have a 2009 Macbook running Yosemite. Note this machine was not available with SSD at the time it was sold. A year ago I decided to put an SSD in it, and being aware of the TRIM issue, I made a point to buy a secondhand *Apple* SSD from a Macbook Pro. Neither Mavericks nor Yosemite will enable TRIM on this machine.

    So apparently, not only will OS X not enable TRIM on a non-Apple SSD, but the machine *must* be a model for which there was an SSD option at purchase.

"Show me a good loser, and I'll show you a loser." -- Vince Lombardi, football coach

Working...