Slashdot Mirror
Apple Blocks Linux From Booting On New Hardware With T2 Security Chip (phoronix.com)
AmiMoJo writes:
Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.
The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.
The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.
Seems like the most expensive way to get a Linux system. There have to be at least a dozen better choices for less money.
If you try to load Linux, it terminates your booting. If you manage to break through the security, it states, "I'll be back" and relently pursues you until you are terminated.
Virtualization instead of dual booting means you need to buy twice as much RAM: half to run the host and half to run the guest. In addition, last I checked, a developer of an application that uses the GPU would be foolish to rely on performance in a VM as representative of performance on bare metal.
Don't fight uphill battles. System76 sells laptops with Linux pre-installed and so do many other vendors.
Mac OS is already loosely based on Unix
To nitpick, if you mean UNIX, technically macOS is registered as UNIX 03.
https://www.opengroup.org/open...
I assume by "loosely based" you were probably referring to Linux, more appropriately the GNU tools and what not that it contains.
But realistically, why bother except showing off you did it?
1) There are people for whom the hardware is great, but the operating system sucks.
2) Eventually, Apple will cripple the operating system to sell new hardware, and lots of people will discard perfectly good hardware. Being able to install Linux on it will keeps lots of toxic waste out of landfills for much longer.
Meanwhile Windows 10 not only allows Linux in the same machine it now let's me run pretty much all of my Linux dev tools in Windows, without emulation, side by side my Windows apps in one windowed shell.
When UEFI with Secure Boot was implemented several years ago, I warned that Secure Boot could be used to block Linux. But the Secure Boot people assured us that Linux could still boot by using a certified stub from Microsoft. That still was alarming to me because then Linux was relying on something from Microsoft, which historically had been very much against Linux. But even then, Secure Boot could still be disabled allowing Linux to be installed on the local storage device.
I never thought it would be Apple who would block Linux using Secure Boot. F*&# Apple!
A beautiful one line summary! Bravo!
Chrome books do essentially the same thing.
This argument isn't remotely new. It goes back at least as far as trusted platform computing. And maybe as far back as the Clipper chip which was the primordial TPC mutation. It even has shades of the original 68K mac rom code.
The tension is who owns the computer if hardware prevents unsigned software from running in trusted status?
If the user does then viruses can never be stopped and evil users mean platforms can't be trusted on a network.
If the manufacturer or govt controls the signed boot chain of trust then you don't own the computer but for most people this level of control isn't important. And the benefits of having the safety of a trusted platform are overwhelmingly positive
The good news is that both macs and chrome books support VM like enclaves that suffice for most of the cases it matters.
So we're left with edge cases where those people can just buy a machine without it.
Even if there were no commercial advantage of TPC it still was the inevitable security model. We had a lot of years to find something better and no one has that I know of.
The danger is creeping vertical integration of walled gardens that won't inter operate. That is where the commercial benefit lies. Not the signed boot
Some drink at the fountain of knowledge. Others just gargle.
Why can't you just run Linux in a VM?
Exactly.
You'd think that people with the skills to install Linux would realize that there's more than one way to install Linux on a computer. There's several quite capable VMs that I'm aware of with excellent support for running Linux on macOS. There's Parallels, VMWare, VirtualBox, just off the top of my head. I suspect that in no time we'll see ESXi get signed for Apple hardware for the people that take things up a notch on virtual machines, like myself.
If the goal is to test software on multiple platforms then I'm a bit doubtful one needs to run on the metal anyway. The only things that I can think of that need that kind of access to hardware would be drivers, and someone is not likely to write Linux drivers for Apple hardware this quickly except for things like getting it booting, which is exactly what people are working on right now.
Dual booting is for chumps. If you can't dig up real hardware or figure out how to run a VM then you are simply getting ahead of yourself. Make it work on the hardware and OS you got, then worry about making some money or dig through some university dumpsters for some hardware.
This is a made up problem since the hardware just came out. If this persists for a while then I might see an issue. My guess is someone figures this out next month but Slashdot won't post it because it's news where people can't go on bashing Apple.
I am armed because I am free. I am free because I am armed.
Actually, they did. They did exactly this on their ARM systems with UEFI. They will do it on x86 when the opportunity arises. It's only the potential for bad publicity and complaints that have kept it open up to this point. I would not assume any good intentions on the part of Microsoft; they hold the keys to the kingdom here, and the hardware is only open due to their choice.
So your "5 years" has suddenly turned into a decade.
That's still not enough. My current machine is a thinkpad W510 which is comfortably getting on towards 9 years old. It's got 16G of RAM which is still more than most midrange laptops ship with and what many laptops still max out at. If it starts feeling a bit spare, then I'll upgrade it to the maximum which is now 32G with modern DIMMS. It's got plenty of SSD too.
I doubt this laptop will be ready for retirement in a year and a half, even without any additional upgrades.
You might argue that Lenovo don't support it any more. Sure, but unlike Apple, they went to some effort to let others do so; ubuntu was an officially supported OS for this machine, and it's built with quality, standard parts. I strongly suspect it would run Windows 10 fine too. They've essentially ensured it will be supported for a very, very long time.
SJW n. One who posts facts.
Wow .. I didn't know it was the future already. My Ears 2011 Mac Book Pro is stuck on High Sierra because it doesn't have the graphics hardware needed to make it to Mojave. ...
So yeah, I may have a desk full of Apple hardware, but I can see that Apple can't br trusted to keep supporting systems for more than 5 years.
A couple problems with this.
- It’s 2018, and 10.14 Mojave was just released. To this point your device has already been supported for 7 years.
- Apple maintains the three most recent releases of its OS. With the release of Mojave, Apple stopped patching 10.11 El Capitan. Your current OS, 10.13 High Sierra*, will continue to receive security patches for another 2-3 years.
So your “5 years” has suddenly turned into a decade.
* Also a classic movie starring Ida Lupino and Humphrey Bogart.
You are totally missing the point. Apple has introduced hardware requirements into its software that preclude me from running Apple software. Thus this outcry over the T2 chip is not surprising .. Apple has done this before and they will do it again.
I am Slashdot. Are you Slashdot as well?
dual booting is NOT for chumps.
case in point: I was dealing with a guy in my company (at a remote office) who was doing network testing of our embedded hardware and he was running a windows box with linux on top of it in a VM.
FOR NETWORK PERFORMANCE TESTING.
fuck! he was serious and had no idea that this was not the proper way to test for networking thruput, latency, jitter, etc. the vm layer will invalidate ALL tests you do. its not a pass thru layer at all, not when I'm trying to quanify jitter and latency thru a network router.
the ONLY valid way is to boot bare metal linux (using windows is beyond stupid for networking, even today) and run the rfc tests that way.
VMs are great for some things, but they are NOT the only way to get things done, and for many tasks, its entirely the WRONG tool.
chump - LOL. wonder if mr. chumpmaster learned anything from this post. (nah, unlikely.)
--
"It is now safe to switch off your computer."
I'm still pretty sure dual booting is for chumps. Let's take your example.
If the guy needs Linux on the metal for running network tests then run Linux on the metal. He can run Windows in a VM if he needs that for things like e-mail and office apps. If he's doing work where he needs both Windows and Linux on the metal then he needs two computers. It's not like a computer is an expensive piece of hardware any more. If the company can't be bothered to get him the hardware but hobble him with reboots on a regular basis, as well as supporting computers with two operating systems installed, then they are penny wise and pound foolish.
Even then there are ways to pass through the network hardware on the computer to the VM. One easy way that most every virtualization package I've seen supports is a USB pass through. The freeware VM packages might throttle this to 100 Mbps speeds but the payware stuff will pass through at gigabit speeds. There's even PCI pass through on some VM packages if USB is insufficient.
If you are dual booting for something as trivial as what you describe then you are doing it wrong. It sounds like the guy is an idiot for hosting Linux on Windows instead of the other way around.
I am armed because I am free. I am free because I am armed.
Network troubleshooting and scientific apps are some of the main reasons people dual-boot Linux
You're missing the point: Users deserve full control over their own computers. The user should decide what OSes they want to run. Treating users unethically by denying their software freedom is unjust. There are also ecological consequences others will no doubt get into which in the large affect us all. The amount of money spent on the computer is a very minor point at best.
Digital Citizen
That and GPU-intensive games.
You're doing it wrong.
I'm not big on the GPU intensive gaming so I have little first hand experience on this but I picked up a few things on this reading Slashdot. Apple hardware has been regularly mocked for their gaming performance, they just aren't built for it. On the low end systems there's often a pretty pathetic GPU. On the high dollar systems there might be a nice GPU but they are optimized for workstation type stuff, which is apparently different than what gamers want. Then there's issues of things like VR systems needing a GPU that simply does not exist in Apple hardware, it would have to be an add-on.
So, whatever the case the Linux gamer that is concerned about GPU intensive games will not be buying Apple hardware or they will do so knowing they need an external GPU for it to work well. If one is so adamant to spend the money needed for an external GPU then adding external bootable storage for the Linux OS will be nothing. The headline is deceiving, the computers seem to be able to boot an unsigned OS from external storage. If someone is going to add an external GPU to overcome the limitations of the Apple GPU then having an external boot drive is trivial in cost, complexity, and inconvenience.
Even if the internal GPU does meet their gaming needs, and they are adamant on running Linux to play those games, then just boot from external storage while gaming. Since there seems to be a lot of complaints on Apple not putting much for internal storage (size and/or speed), making internal drive upgrades difficult to impossible, and/or a custom build with a larger drive from Apple being expensive, I'm guessing that external boot drives for the Linux on Mac gamers is the norm already.
I am armed because I am free. I am free because I am armed.
Which virtualization package were you thinking of?
All of them.
Unless you are running some really odd hardware then there's a way to pass through the network to the VM at full speed on every VM package I've seen. I'm guessing I've seen a lot of them but not all. If the speed of the network is critical, and you need it for an OS in a VM on a Mac, and this is for mission critical work at a for profit business, then I'm guessing one just needs to suck it up and open up the wallet a bit for the right software. I double checked VMWare's website because that's what I use on my laptop and they say VMWare Fusion supports USB3 speeds on pass through. That should be good for gigabit Ethernet on any USB3 Apple computer, and quite likely 10 Gbps for any Mac with USB-C ports and the right adapter.
I am armed because I am free. I am free because I am armed.
Not sure if this should be considered fake news or ignorance. What Apple have done is no different that any other device shipped with Secure Boot enabled by default, and it is just as configurable.
Simply boot into MacOS via recovery mode and from there you can use the Startup Security Utility to configure the boot requirements by selecting
a) only MacOS to boot,
b) any signed certificate such as Microsoft's UEFI certificate which is also used by some Linux SecureBoot systems, or
c) disable the check completely.
https://support.apple.com/en-u...
So using a VM to run Linux is not an appropriate solution.
Then don't buy Apple hardware. At least not until this Linux boot issue is resolved.
I've heard two reasons people run Linux on Apple hardware. First, Apple makes nice hardware and (until now at least) Linux support was quite good. So, buy used, wait and see if this issue is resolved, or both. Second, while a person might prefer Linux they have a need to run macOS for their work. In this case a dual boot is used, or running a VM with either macOS or Linux as host and the other as guest. Running Linux on the metal is in this case merely preferable, not required.
I'm not seeing a problem here.
I am armed because I am free. I am free because I am armed.
December 26, 1966. I switched to Linux, never looked back. Here is my credo: It it doesn't run Linux, or if such and such is not available for Linux,
I don't do *any* business with them. Period, end of story. Bill Gates and Tim Cook can kiss my Alaskan Arse.
This has a double-edged sword though. The bad is when Apple stops supporting this machine, you can't just slap Ubuntu on it and continue using it, but you get to choose between keeping using an obsolete OS with security issues, going with Windows, or chucking the machine entirely.
I personally have tested this. At first, I set the security level to "none", booted Ubuntu, because I do a blkdiscard on the SSD to ensure that there is absolutely nothing on the drive before I install macOS. Lo and behold no drives, not via NVMe, not SATA.
I hope this is just an oversight. I would be surprised and extremely diappointed if Apple actually did not want Linux to run on their product by actively barring the UEFI shim needed to load RedHat, Ubuntu, and others.
As of now, using virtualization software is a solution, although Parallels is "meh" at best, VirtualBox has gotchas, so your best bet is VMWare Fusion Pro, which isn't cheap, but well worth it.
They say that if you do (c) it removes access to the internal storage. But you didn't fucking read because YOU hate apple being in the wrong somewhere or somehow.
They say no such thing. English may not be your first language but common there is only one sentence discussing option c). To help you along, click the below link to Google Translate and select a language you do understand:
https://translate.google.com/#....