Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Blocks Linux From Booting On New Hardware With T2 Security Chip (phoronix.com)

Posted by EditorDavid on from the walling-the-garden dept.

AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.

The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

19 of 373 comments (clear)

  1. Linux on a new Mac — why? by Kohath · · Score: 4, Insightful

    Seems like the most expensive way to get a Linux system. There have to be at least a dozen better choices for less money.

    1. Re:Linux on a new Mac — why? by ShanghaiBill · · Score: 3, Insightful

      A Mac running X11/Linux is the only (legal) way to develop and test macOS and X11/Linux versions of one application on one machine.

      Why can't you just run Linux in a VM?

    2. Re:Linux on a new Mac — why? by Crash+Dummy+Redux · · Score: 5, Insightful

      When your Mac can no longer run the latest and greatest version of Mac OS, you can install Linux to keep using it after you get a new Mac. Now it can only be used as a paperweight.

    3. Re:Linux on a new Mac — why? by Greyfox · · Score: 4, Insightful
      I haven't checked in a while, but the old Mac Pro was a reasonably cost-effective way to get a multiprocessor Xeon system. I still have a couple of the aluminum towers from the mid 00's kicking around -- one has a 32 bit bootloader for 64 bit hardware, so if you want to run a 64 bit OS on it you have to install some code that thunks driver calls to 32 bits. That one is currently running Ubuntu Linux and is serving as a PBX system for an airport diner. The other one is currently awaiting a new Linux install and will end up being a development and test machine, which it's plenty powerful for.

      In the 10-15 years since I purchased those machines, Dell's replaced Apple for my out-of-the-box hardware needs -- I can get better hardware for the same price and they'll frequently offer Linux as an OS install option. Personally I'd usually rather just build my own hardware, but sometimes you just need some hardware immediately. I've gotten some pretty beefy server hardware from Dell and been mightily impressed by it, and am actually dropping some decades-old grudges against the company with the caveat, "They're great as long as you NEVER have to talk to their support people."

      So yeah, there are less expensive ways to get better hardware, so unless you have a boner for some of Apple's hardware, there's really not any reason to buy them. Funnily the last time they went all proprietary like this, they almost went bankrupt. Given how popular Linux is now, I'm not sure Microsoft will bail them out if it happens again.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    4. Re:Linux on a new Mac — why? by Kjella · · Score: 5, Insightful

      Seems like the most expensive way to get a Linux system. There have to be at least a dozen better choices for less money.

      That's not really the point. If Apple is allowed to make x86 hardware that won't run Linux, I bet Microsoft will "align" their policy to allow it and do the same to their Surface line. Then the OEMs will follow. And then System76 and other niche players is your only choice. Considering they explicitly mention the Linux signing key this is not an accident, it's probably a trial balloon from Apple to see what happens if they ship Macs that don't run Linux ahead of a migration to ARM. Since Windows on ARM doesn't make much sense, they're setting up a play where the new Macs only runs Apple's OS and nothing else.

      Remember the PC as an open platform is something of an historical accident based on the naivety of IBM. Microsoft introduced the lock down capability with Secure Boot, but couldn't go through with it due to public outcry. They did try to lock it down with WinRT, except it flopped. Apple did lock down the mobile side with iOS and would like to do it on Macs. It's only dual-booting Mac and Linux users who'd like the status quo preserved. Don't assume that it'll transfer to any new "class" of desktop and don't assume it won't happen. The desktop is ripe for a major cataclysm like what iPhone/Android did to the mobile market.

      --
      Live today, because you never know what tomorrow brings
    5. Re:Linux on a new Mac — why? by omnichad · · Score: 3, Informative

      The latest update on the article points here:
      https://unix.stackexchange.com...

      Linux is simply blocked from even seeing the SSD hardware by the T2 chip.

  2. T2 Chip by Anonymous Coward · · Score: 3, Funny

    If you try to load Linux, it terminates your booting. If you manage to break through the security, it states, "I'll be back" and relently pursues you until you are terminated.

  3. System76 by reanjr · · Score: 4, Informative

    Don't fight uphill battles. System76 sells laptops with Linux pre-installed and so do many other vendors.

    1. Re:System76 by Anonymous Coward · · Score: 5, Informative

      Don't fight uphill battles. System76 sells laptops with Linux pre-installed and so do many other vendors.

      And System76 neuters the Intel Management Engine, which is pretty awesome: https://blog.system76.com/post/168050597573/system76-me-firmware-updates-plan

    2. Re:System76 by serviscope_minor · · Score: 3, Insightful

      It's not about running Linux on a laptop, it's about pretending to have a grievance. :eyeroll:

      That was one of the smugest posts I've read in a while.

      Back to reality, Linux has long been a favourite way round these parts for escuing old hardware from the landfill. Apple just nixed that option. Yay more landfill.

      --
      SJW n. One who posts facts.
  4. Re:Annoying, but not a deal-breaker? by StormReaver · · Score: 4, Insightful

    But realistically, why bother except showing off you did it?

    1) There are people for whom the hardware is great, but the operating system sucks.

    2) Eventually, Apple will cripple the operating system to sell new hardware, and lots of people will discard perfectly good hardware. Being able to install Linux on it will keeps lots of toxic waste out of landfills for much longer.

  5. Linux Subsystem for Windows by im_thatoneguy · · Score: 3, Interesting

    Meanwhile Windows 10 not only allows Linux in the same machine it now let's me run pretty much all of my Linux dev tools in Windows, without emulation, side by side my Windows apps in one windowed shell.

  6. Re:Linux on a new Mac - why? by blindseer · · Score: 3, Insightful

    Why can't you just run Linux in a VM?

    Exactly.

    You'd think that people with the skills to install Linux would realize that there's more than one way to install Linux on a computer. There's several quite capable VMs that I'm aware of with excellent support for running Linux on macOS. There's Parallels, VMWare, VirtualBox, just off the top of my head. I suspect that in no time we'll see ESXi get signed for Apple hardware for the people that take things up a notch on virtual machines, like myself.

    If the goal is to test software on multiple platforms then I'm a bit doubtful one needs to run on the metal anyway. The only things that I can think of that need that kind of access to hardware would be drivers, and someone is not likely to write Linux drivers for Apple hardware this quickly except for things like getting it booting, which is exactly what people are working on right now.

    Dual booting is for chumps. If you can't dig up real hardware or figure out how to run a VM then you are simply getting ahead of yourself. Make it work on the hardware and OS you got, then worry about making some money or dig through some university dumpsters for some hardware.

    This is a made up problem since the hardware just came out. If this persists for a while then I might see an issue. My guess is someone figures this out next month but Slashdot won't post it because it's news where people can't go on bashing Apple.

    --
    I am armed because I am free. I am free because I am armed.
  7. Re: Annoying, but not a deal-breaker? by rl117 · · Score: 4, Informative

    Actually, they did. They did exactly this on their ARM systems with UEFI. They will do it on x86 when the opportunity arises. It's only the potential for bad publicity and complaints that have kept it open up to this point. I would not assume any good intentions on the part of Microsoft; they hold the keys to the kingdom here, and the hardware is only open due to their choice.

  8. Re: Annoying, but not a deal-breaker? by serviscope_minor · · Score: 3, Interesting

    So your "5 years" has suddenly turned into a decade.

    That's still not enough. My current machine is a thinkpad W510 which is comfortably getting on towards 9 years old. It's got 16G of RAM which is still more than most midrange laptops ship with and what many laptops still max out at. If it starts feeling a bit spare, then I'll upgrade it to the maximum which is now 32G with modern DIMMS. It's got plenty of SSD too.

    I doubt this laptop will be ready for retirement in a year and a half, even without any additional upgrades.

    You might argue that Lenovo don't support it any more. Sure, but unlike Apple, they went to some effort to let others do so; ubuntu was an officially supported OS for this machine, and it's built with quality, standard parts. I strongly suspect it would run Windows 10 fine too. They've essentially ensured it will be supported for a very, very long time.

    --
    SJW n. One who posts facts.
  9. Re:Linux on a new Mac - why? by Dorianny · · Score: 3, Insightful
    Yes we are all aware of VM's and use them whenever appropriate. The problem with VM's is that they don't have direct access to the underlying hardware which means that you can't use them for applications requiring low level access to the Network Card or the GPU.

    Network troubleshooting and scientific apps are some of the main reasons people dual-boot Linux

  10. Denying a user's software freedom is unjust. by jbn-o · · Score: 5, Insightful

    You're missing the point: Users deserve full control over their own computers. The user should decide what OSes they want to run. Treating users unethically by denying their software freedom is unjust. There are also ecological consequences others will no doubt get into which in the large affect us all. The amount of money spent on the computer is a very minor point at best.

    --
    Digital Citizen
  11. No they don't! by thegarbz · · Score: 4, Informative

    Not sure if this should be considered fake news or ignorance. What Apple have done is no different that any other device shipped with Secure Boot enabled by default, and it is just as configurable.

    Simply boot into MacOS via recovery mode and from there you can use the Startup Security Utility to configure the boot requirements by selecting
    a) only MacOS to boot,
    b) any signed certificate such as Microsoft's UEFI certificate which is also used by some Linux SecureBoot systems, or
    c) disable the check completely.

    https://support.apple.com/en-u...

  12. Re:Linux on a new Mac - why? by ctilsie242 · · Score: 3, Interesting

    This has a double-edged sword though. The bad is when Apple stops supporting this machine, you can't just slap Ubuntu on it and continue using it, but you get to choose between keeping using an obsolete OS with security issues, going with Windows, or chucking the machine entirely.

    I personally have tested this. At first, I set the security level to "none", booted Ubuntu, because I do a blkdiscard on the SSD to ensure that there is absolutely nothing on the drive before I install macOS. Lo and behold no drives, not via NVMe, not SATA.

    I hope this is just an oversight. I would be surprised and extremely diappointed if Apple actually did not want Linux to run on their product by actively barring the UEFI shim needed to load RedHat, Ubuntu, and others.

    As of now, using virtualization software is a solution, although Parallels is "meh" at best, VirtualBox has gotchas, so your best bet is VMWare Fusion Pro, which isn't cheap, but well worth it.