Paired recoveryOS restrictions
In macOS 12.0.1 or later, every new macOS installation also installs a paired version of recoveryOS into the corresponding APFS volume group. This design is familiar to users of Intel-based Mac computers, but on a Mac with Apple silicon, it provides additional security and compatibility guarantees. Because every macOS installation now has a dedicated paired recoveryOS, this helps ensure that only that dedicated paired recoveryOS can perform security-downgrading operations. This helps protect installations of newer versions of macOS from tampering initiated from older versions of macOS, and vice versa.
The pairing restrictions are enforced as follows:
All installations of macOS 11 are paired to the recoveryOS. If a macOS 11 installation is selected to boot by default, the recoveryOS is booted by holding down the power key at boot time on a Mac with Apple silicon. The recoveryOS can downgrade security settings of any macOS 11 installations, but not any installations of macOS 12.0.1.
If a macOS 12.0.1 or later installation is selected to boot by default, its paired recoveryOS is booted by holding down the power key when the Mac starts up. The paired recoveryOS can downgrade security settings for the paired macOS installation, but not for any other macOS installation.
To boot into a paired recoveryOS for any macOS installation, that installation needs to be selected as the default, which is done using General > Startup Disk in System Settings (macOS 13 or later), Startup Disk in System Preferences (macOS 12 or earlier), or by starting any recoveryOS and holding Option while selecting a volume.
Note: Fallback recoveryOS can’t perform downgrades for any macOS installations.