Skip to content

Overview

Introduction

This is not a deep dive manual or a sysadmin brain dump.
It’s my learning map — an outline of how macOS comes alive, from firmware to Finder.

Each phase is distilled into a handful of one‑liners: small in scope, but expandable whenever I want to investigate further.
It’s my breadcrumb trail when I get lost, my checklist when troubleshooting, and my reminder that there’s no “magic” in macOS once you follow the chain of events.

I’m still learning. This page shows my current mental map — not mastery of every corner of Darwin and Aqua.

Phase 1 – Firmware & Boot Loader

BootROM / iBoot stage
- On Intel Macs: BootROM runs POST, initializes hardware, and finds the EFI System Partition (ESP).
- On Apple Silicon: The BootROM is immutable in hardware and runs low‑level code to bring up the system‑on‑chip components.

Secure Boot
- Apple Secure Boot verifies the integrity of the boot loader and kernel via Apple‑signed signatures.
- On T2‑equipped Intel Macs, iBoot enforces this; on Apple Silicon, the Secure Enclave participates in validation.

Startup Disk & iBoot
- iBoot (Apple’s boot loader) loads the macOS kernel and essential components from the chosen startup volume.
- On encrypted volumes with FileVault, authentication happens here before the system disk is unlocked.

Pre‑kernel drivers (kexts)
- Minimal kernel extensions for storage, filesystem (APFS), and bus initialization are loaded — just enough to mount the root volume.

Phase 2 – Kernel & Low‑Level Init

XNU Kernel
- Hybrid kernel combining Mach microkernel, BSD layer, and I/O Kit. Handles scheduling, memory, IPC, and device management.

I/O Kit
- Object‑oriented driver framework in C++ that initializes device drivers in dependency order.

Root filesystem mount
- APFS root volume mounts in read‑only mode (in modern macOS), with a separate writable “Data” volume merged at runtime.

Security & Sandbox frameworks
- Mandatory Access Control frameworks (Seatbelt sandbox, SIP) engage early to enforce integrity and privilege limits.

launchd handoff
- Once kernel space is initialized, control passes to /sbin/launchd — the master process in user space.

Phase 3 – User Space Initialization

launchd (PID 1)
- Replaces the traditional init. Reads property lists (.plist) to start system services, daemons, and agents.
- Manages both system‑wide services and per‑user agents later in the process.

System bootstrap services
- WindowServer: Compositor for all on‑screen graphics.
- configd: Manages dynamic configuration for networking.
- notifyd, distnoted: Interprocess notifications.
- opendirectoryd: Directory services (local accounts, LDAP, Active Directory integration).

Security services
- securityd handles keychain and cryptographic operations.
- opendirectoryd works with login and authentication.

Phase 4 – Login & GUI Environment

loginwindow
- Displays the macOS login screen, manages authentication (password, Touch ID, Apple Watch unlock).
- Invokes authentication backends via OpenDirectory.

User session launch
- Once authenticated, launchd starts the user’s session‑specific agents from ~/Library/LaunchAgents and /Library/LaunchAgents.

Dock & Finder
- Finder provides the desktop metaphor: windows, icons, file management.
- Dock launches and switches apps, shows running tasks.

SystemUIServer
- Draws the menu bar, status items, and handles some system‑wide UI interactions.

Phase 5 – Core Foundations

File System Layout
- /System: Read‑only OS binaries (sealed system volume).
- /System/Library: Core frameworks, kernel extensions, system daemons.
- /Applications: Apple‑supplied apps.
- /Users: Home directories.

Configuration Stores
- Property lists (.plist) in Library folders define settings for apps, services, and OS.
- Defaults system (defaults command) interacts with these.

Service Management
- launchd supervises all system daemons and per‑user agents.
- Services are defined in plist files with triggers (at login, on demand, after filesystem mount).

Security & Identity
- Keychain for credentials, certificates, and secure notes.
- Gatekeeper enforces app signing and notarization.
- System Integrity Protection blocks even root from modifying protected parts of the OS.

Networking
- Managed by configd and related helpers (networkd, mDNSResponder).
- Supports dynamic changes without reboot.

Closing Note

Walking through the macOS startup sequence turns it from a black box into a chain of deliberate stages — each with its own artifacts, logs, and vulnerabilities.
From immutable BootROM to the responsive Finder desktop, every layer has a place and purpose, and knowing the map lets me troubleshoot, secure, and explore with intent.