Apple Blocks Linux From Booting On New Hardware With T2 Security Chip

AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.

The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

Linux on a new Mac — why?

[Kohath]

Seems like the most expensive way to get a Linux system. There have to be at least a dozen better choices for less money.

Re:Linux on a new Mac — why?

[ShanghaiBill]

A Mac running X11/Linux is the only (legal) way to develop and test macOS and X11/Linux versions of one application on one machine.

Why can't you just run Linux in a VM?

Re:Linux on a new Mac — why?

[Crash+Dummy+Redux]

When your Mac can no longer run the latest and greatest version of Mac OS, you can install Linux to keep using it after you get a new Mac. Now it can only be used as a paperweight.

Re:Linux on a new Mac — why?

[Greyfox]

I haven't checked in a while, but the old Mac Pro was a reasonably cost-effective way to get a multiprocessor Xeon system. I still have a couple of the aluminum towers from the mid 00's kicking around -- one has a 32 bit bootloader for 64 bit hardware, so if you want to run a 64 bit OS on it you have to install some code that thunks driver calls to 32 bits. That one is currently running Ubuntu Linux and is serving as a PBX system for an airport diner. The other one is currently awaiting a new Linux install and will end up being a development and test machine, which it's plenty powerful for.

In the 10-15 years since I purchased those machines, Dell's replaced Apple for my out-of-the-box hardware needs -- I can get better hardware for the same price and they'll frequently offer Linux as an OS install option. Personally I'd usually rather just build my own hardware, but sometimes you just need some hardware immediately. I've gotten some pretty beefy server hardware from Dell and been mightily impressed by it, and am actually dropping some decades-old grudges against the company with the caveat, "They're great as long as you NEVER have to talk to their support people."

So yeah, there are less expensive ways to get better hardware, so unless you have a boner for some of Apple's hardware, there's really not any reason to buy them. Funnily the last time they went all proprietary like this, they almost went bankrupt. Given how popular Linux is now, I'm not sure Microsoft will bail them out if it happens again.

Re:Linux on a new Mac — why?

[Kjella]

Seems like the most expensive way to get a Linux system. There have to be at least a dozen better choices for less money.

That's not really the point. If Apple is allowed to make x86 hardware that won't run Linux, I bet Microsoft will "align" their policy to allow it and do the same to their Surface line. Then the OEMs will follow. And then System76 and other niche players is your only choice. Considering they explicitly mention the Linux signing key this is not an accident, it's probably a trial balloon from Apple to see what happens if they ship Macs that don't run Linux ahead of a migration to ARM. Since Windows on ARM doesn't make much sense, they're setting up a play where the new Macs only runs Apple's OS and nothing else.

Remember the PC as an open platform is something of an historical accident based on the naivety of IBM. Microsoft introduced the lock down capability with Secure Boot, but couldn't go through with it due to public outcry. They did try to lock it down with WinRT, except it flopped. Apple did lock down the mobile side with iOS and would like to do it on Macs. It's only dual-booting Mac and Linux users who'd like the status quo preserved. Don't assume that it'll transfer to any new "class" of desktop and don't assume it won't happen. The desktop is ripe for a major cataclysm like what iPhone/Android did to the mobile market.

Re:Annoying, but not a deal-breaker?

[StormReaver]

But realistically, why bother except showing off you did it?

1) There are people for whom the hardware is great, but the operating system sucks.

2) Eventually, Apple will cripple the operating system to sell new hardware, and lots of people will discard perfectly good hardware. Being able to install Linux on it will keeps lots of toxic waste out of landfills for much longer.

Re:Linux on a new Mac - why?

[blindseer]

Why can't you just run Linux in a VM?

Exactly.

You'd think that people with the skills to install Linux would realize that there's more than one way to install Linux on a computer. There's several quite capable VMs that I'm aware of with excellent support for running Linux on macOS. There's Parallels, VMWare, VirtualBox, just off the top of my head. I suspect that in no time we'll see ESXi get signed for Apple hardware for the people that take things up a notch on virtual machines, like myself.

If the goal is to test software on multiple platforms then I'm a bit doubtful one needs to run on the metal anyway. The only things that I can think of that need that kind of access to hardware would be drivers, and someone is not likely to write Linux drivers for Apple hardware this quickly except for things like getting it booting, which is exactly what people are working on right now.

Dual booting is for chumps. If you can't dig up real hardware or figure out how to run a VM then you are simply getting ahead of yourself. Make it work on the hardware and OS you got, then worry about making some money or dig through some university dumpsters for some hardware.

This is a made up problem since the hardware just came out. If this persists for a while then I might see an issue. My guess is someone figures this out next month but Slashdot won't post it because it's news where people can't go on bashing Apple.

Re:System76

[serviscope_minor]

It's not about running Linux on a laptop, it's about pretending to have a grievance. :eyeroll:

That was one of the smugest posts I've read in a while.

Back to reality, Linux has long been a favourite way round these parts for escuing old hardware from the landfill. Apple just nixed that option. Yay more landfill.

Re:Linux on a new Mac - why?

[blindseer]

I'm still pretty sure dual booting is for chumps. Let's take your example.

If the guy needs Linux on the metal for running network tests then run Linux on the metal. He can run Windows in a VM if he needs that for things like e-mail and office apps. If he's doing work where he needs both Windows and Linux on the metal then he needs two computers. It's not like a computer is an expensive piece of hardware any more. If the company can't be bothered to get him the hardware but hobble him with reboots on a regular basis, as well as supporting computers with two operating systems installed, then they are penny wise and pound foolish.

Even then there are ways to pass through the network hardware on the computer to the VM. One easy way that most every virtualization package I've seen supports is a USB pass through. The freeware VM packages might throttle this to 100 Mbps speeds but the payware stuff will pass through at gigabit speeds. There's even PCI pass through on some VM packages if USB is insufficient.

If you are dual booting for something as trivial as what you describe then you are doing it wrong. It sounds like the guy is an idiot for hosting Linux on Windows instead of the other way around.

Re:Linux on a new Mac - why?

[Dorianny]

Yes we are all aware of VM's and use them whenever appropriate. The problem with VM's is that they don't have direct access to the underlying hardware which means that you can't use them for applications requiring low level access to the Network Card or the GPU.

Network troubleshooting and scientific apps are some of the main reasons people dual-boot Linux

Denying a user's software freedom is unjust.

[jbn-o]

You're missing the point: Users deserve full control over their own computers. The user should decide what OSes they want to run. Treating users unethically by denying their software freedom is unjust. There are also ecological consequences others will no doubt get into which in the large affect us all. The amount of money spent on the computer is a very minor point at best.