Apple Blocks Linux From Booting On New Hardware With T2 Security Chip

AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.

The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

Linux Subsystem for Windows

[im_thatoneguy]

Meanwhile Windows 10 not only allows Linux in the same machine it now let's me run pretty much all of my Linux dev tools in Windows, without emulation, side by side my Windows apps in one windowed shell.

Secure Boot

When UEFI with Secure Boot was implemented several years ago, I warned that Secure Boot could be used to block Linux. But the Secure Boot people assured us that Linux could still boot by using a certified stub from Microsoft. That still was alarming to me because then Linux was relying on something from Microsoft, which historically had been very much against Linux. But even then, Secure Boot could still be disabled allowing Linux to be installed on the local storage device.

I never thought it would be Apple who would block Linux using Secure Boot. F*&# Apple!

Re: Annoying, but not a deal-breaker?

[serviscope_minor]

So your "5 years" has suddenly turned into a decade.

That's still not enough. My current machine is a thinkpad W510 which is comfortably getting on towards 9 years old. It's got 16G of RAM which is still more than most midrange laptops ship with and what many laptops still max out at. If it starts feeling a bit spare, then I'll upgrade it to the maximum which is now 32G with modern DIMMS. It's got plenty of SSD too.

I doubt this laptop will be ready for retirement in a year and a half, even without any additional upgrades.

You might argue that Lenovo don't support it any more. Sure, but unlike Apple, they went to some effort to let others do so; ubuntu was an officially supported OS for this machine, and it's built with quality, standard parts. I strongly suspect it would run Windows 10 fine too. They've essentially ensured it will be supported for a very, very long time.

Re:Linux on a new Mac — why?

[HiThere]

Sorry, but no.
That's not sufficient for me to consider Apple an acceptable vendor.

If I buy (when I bought) an Apple it was with the intention of running all my software native. Some software was native Linux, and for that I rebooted into the Linux partition. Some was Apple, and for that I rebooted into the Apple partition. Seriously, the Apple software wasn't sufficiently CPU intensive that running native was necessary, but that was the only way I know how to run it. The Linux software needed better access to the hardware, and a VM was not a satisfactory solution.

The Linux software was important. The Apple software was only games, and because I didn't want to support MS.

So, OK, if this is true I'll just give Apple a skip, too, the next time I purchase a computer (probably sometime next year, but maybe the year after that).

Re:Linux on a new Mac - why?

[ctilsie242]

This has a double-edged sword though. The bad is when Apple stops supporting this machine, you can't just slap Ubuntu on it and continue using it, but you get to choose between keeping using an obsolete OS with security issues, going with Windows, or chucking the machine entirely.

I personally have tested this. At first, I set the security level to "none", booted Ubuntu, because I do a blkdiscard on the SSD to ensure that there is absolutely nothing on the drive before I install macOS. Lo and behold no drives, not via NVMe, not SATA.

I hope this is just an oversight. I would be surprised and extremely diappointed if Apple actually did not want Linux to run on their product by actively barring the UEFI shim needed to load RedHat, Ubuntu, and others.

As of now, using virtualization software is a solution, although Parallels is "meh" at best, VirtualBox has gotchas, so your best bet is VMWare Fusion Pro, which isn't cheap, but well worth it.