Apple Blocks Linux From Booting On New Hardware With T2 Security Chip

AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.

The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

Linux Subsystem for Windows

[im_thatoneguy]

Meanwhile Windows 10 not only allows Linux in the same machine it now let's me run pretty much all of my Linux dev tools in Windows, without emulation, side by side my Windows apps in one windowed shell.

Secure Boot

When UEFI with Secure Boot was implemented several years ago, I warned that Secure Boot could be used to block Linux. But the Secure Boot people assured us that Linux could still boot by using a certified stub from Microsoft. That still was alarming to me because then Linux was relying on something from Microsoft, which historically had been very much against Linux. But even then, Secure Boot could still be disabled allowing Linux to be installed on the local storage device.

I never thought it would be Apple who would block Linux using Secure Boot. F*&# Apple!

Re: Annoying, but not a deal-breaker?

[serviscope_minor]

So your "5 years" has suddenly turned into a decade.

That's still not enough. My current machine is a thinkpad W510 which is comfortably getting on towards 9 years old. It's got 16G of RAM which is still more than most midrange laptops ship with and what many laptops still max out at. If it starts feeling a bit spare, then I'll upgrade it to the maximum which is now 32G with modern DIMMS. It's got plenty of SSD too.

I doubt this laptop will be ready for retirement in a year and a half, even without any additional upgrades.

You might argue that Lenovo don't support it any more. Sure, but unlike Apple, they went to some effort to let others do so; ubuntu was an officially supported OS for this machine, and it's built with quality, standard parts. I strongly suspect it would run Windows 10 fine too. They've essentially ensured it will be supported for a very, very long time.

Re:Linux on a new Mac — why?

[HiThere]

Sorry, but no.
That's not sufficient for me to consider Apple an acceptable vendor.

If I buy (when I bought) an Apple it was with the intention of running all my software native. Some software was native Linux, and for that I rebooted into the Linux partition. Some was Apple, and for that I rebooted into the Apple partition. Seriously, the Apple software wasn't sufficiently CPU intensive that running native was necessary, but that was the only way I know how to run it. The Linux software needed better access to the hardware, and a VM was not a satisfactory solution.

The Linux software was important. The Apple software was only games, and because I didn't want to support MS.

So, OK, if this is true I'll just give Apple a skip, too, the next time I purchase a computer (probably sometime next year, but maybe the year after that).

Re: Linux on a new Mac - why?

[blindseer]

You are thinking short term. Think long term, this affect future resale value. This affects if it will be even usage able in 3yr or 4yr or.

How many computers have you kept for more than 4 years? I'm guessing not that many.

I buy nice computers and so I tend to keep them running for 4 or 5 years. As I've been an laptop user for nearly 20 years now I'm on my 4th new laptop. I get mocked for not buying computers more often as people notice I'm running hardware that's 3 years old. My brothers got in the habit of buying a new laptop nearly every year because in that time they find it getting slow for their needs, wear it out, or break it. I broke one of mine, busted it up real good on it's 3rd year. It happens. I was a bit upset with myself but I picked up the pieces, was able to get my data off of it, bought a new laptop, and moved on.

More often than not a 4 year old computer is worthless. I'm sure a high dollar system can be very useful for much longer but it will be relegated to secondary use, given away, or sold off for pennies. As I sit here in my office I have six computers booted up in front of me. That's because I'm a code monkey and pack rat. I pulled a couple of these computers out of the trash because the businesses that owned them considered them worthless, there is no resale value on 4 year old hardware so that does not concern me. To me these old computers are "toys", something to play with as at their age they are slow, outdated, and something I consider unreliable. They do nothing of importance but I find them convenient. I am the outlier, as again most people would have thrown this hardware away. Even then I buy a new laptop every 4 or 5 years (except in the case of unrecoverable damage) because I need something reliable for my day to day stuff. And at that I'm even the outlier for keeping my daily workhorse for so long.

I guess you like not owning any thing

I like owning my stuff just fine. That includes my data. Secure storage on a computer means my data remains my data, and Apple just offered another layer on their hardware to assure that my data stays my data.

Secure storage is a good thing. You are merely creating a straw man to rip on this feature, something other computer makers offered for years. Now that it's on an Apple then I guess it becomes "bad", because Apple is "bad".

Re:Linux on a new Mac - why?

[ctilsie242]

This has a double-edged sword though. The bad is when Apple stops supporting this machine, you can't just slap Ubuntu on it and continue using it, but you get to choose between keeping using an obsolete OS with security issues, going with Windows, or chucking the machine entirely.

I personally have tested this. At first, I set the security level to "none", booted Ubuntu, because I do a blkdiscard on the SSD to ensure that there is absolutely nothing on the drive before I install macOS. Lo and behold no drives, not via NVMe, not SATA.

I hope this is just an oversight. I would be surprised and extremely diappointed if Apple actually did not want Linux to run on their product by actively barring the UEFI shim needed to load RedHat, Ubuntu, and others.

As of now, using virtualization software is a solution, although Parallels is "meh" at best, VirtualBox has gotchas, so your best bet is VMWare Fusion Pro, which isn't cheap, but well worth it.