Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Blocks Linux From Booting On New Hardware With T2 Security Chip (phoronix.com)

Posted by EditorDavid on from the walling-the-garden dept.

AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.

The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

10 of 373 comments (clear)

  1. Linux on a new Mac — why? by Kohath · · Score: 4, Insightful

    Seems like the most expensive way to get a Linux system. There have to be at least a dozen better choices for less money.

    1. Re:Linux on a new Mac — why? by Crash+Dummy+Redux · · Score: 5, Insightful

      When your Mac can no longer run the latest and greatest version of Mac OS, you can install Linux to keep using it after you get a new Mac. Now it can only be used as a paperweight.

    2. Re:Linux on a new Mac — why? by Greyfox · · Score: 4, Insightful
      I haven't checked in a while, but the old Mac Pro was a reasonably cost-effective way to get a multiprocessor Xeon system. I still have a couple of the aluminum towers from the mid 00's kicking around -- one has a 32 bit bootloader for 64 bit hardware, so if you want to run a 64 bit OS on it you have to install some code that thunks driver calls to 32 bits. That one is currently running Ubuntu Linux and is serving as a PBX system for an airport diner. The other one is currently awaiting a new Linux install and will end up being a development and test machine, which it's plenty powerful for.

      In the 10-15 years since I purchased those machines, Dell's replaced Apple for my out-of-the-box hardware needs -- I can get better hardware for the same price and they'll frequently offer Linux as an OS install option. Personally I'd usually rather just build my own hardware, but sometimes you just need some hardware immediately. I've gotten some pretty beefy server hardware from Dell and been mightily impressed by it, and am actually dropping some decades-old grudges against the company with the caveat, "They're great as long as you NEVER have to talk to their support people."

      So yeah, there are less expensive ways to get better hardware, so unless you have a boner for some of Apple's hardware, there's really not any reason to buy them. Funnily the last time they went all proprietary like this, they almost went bankrupt. Given how popular Linux is now, I'm not sure Microsoft will bail them out if it happens again.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    3. Re:Linux on a new Mac — why? by Kjella · · Score: 5, Insightful

      Seems like the most expensive way to get a Linux system. There have to be at least a dozen better choices for less money.

      That's not really the point. If Apple is allowed to make x86 hardware that won't run Linux, I bet Microsoft will "align" their policy to allow it and do the same to their Surface line. Then the OEMs will follow. And then System76 and other niche players is your only choice. Considering they explicitly mention the Linux signing key this is not an accident, it's probably a trial balloon from Apple to see what happens if they ship Macs that don't run Linux ahead of a migration to ARM. Since Windows on ARM doesn't make much sense, they're setting up a play where the new Macs only runs Apple's OS and nothing else.

      Remember the PC as an open platform is something of an historical accident based on the naivety of IBM. Microsoft introduced the lock down capability with Secure Boot, but couldn't go through with it due to public outcry. They did try to lock it down with WinRT, except it flopped. Apple did lock down the mobile side with iOS and would like to do it on Macs. It's only dual-booting Mac and Linux users who'd like the status quo preserved. Don't assume that it'll transfer to any new "class" of desktop and don't assume it won't happen. The desktop is ripe for a major cataclysm like what iPhone/Android did to the mobile market.

      --
      Live today, because you never know what tomorrow brings
  2. System76 by reanjr · · Score: 4, Informative

    Don't fight uphill battles. System76 sells laptops with Linux pre-installed and so do many other vendors.

    1. Re:System76 by Anonymous Coward · · Score: 5, Informative

      Don't fight uphill battles. System76 sells laptops with Linux pre-installed and so do many other vendors.

      And System76 neuters the Intel Management Engine, which is pretty awesome: https://blog.system76.com/post/168050597573/system76-me-firmware-updates-plan

  3. Re:Annoying, but not a deal-breaker? by StormReaver · · Score: 4, Insightful

    But realistically, why bother except showing off you did it?

    1) There are people for whom the hardware is great, but the operating system sucks.

    2) Eventually, Apple will cripple the operating system to sell new hardware, and lots of people will discard perfectly good hardware. Being able to install Linux on it will keeps lots of toxic waste out of landfills for much longer.

  4. Re: Annoying, but not a deal-breaker? by rl117 · · Score: 4, Informative

    Actually, they did. They did exactly this on their ARM systems with UEFI. They will do it on x86 when the opportunity arises. It's only the potential for bad publicity and complaints that have kept it open up to this point. I would not assume any good intentions on the part of Microsoft; they hold the keys to the kingdom here, and the hardware is only open due to their choice.

  5. Denying a user's software freedom is unjust. by jbn-o · · Score: 5, Insightful

    You're missing the point: Users deserve full control over their own computers. The user should decide what OSes they want to run. Treating users unethically by denying their software freedom is unjust. There are also ecological consequences others will no doubt get into which in the large affect us all. The amount of money spent on the computer is a very minor point at best.

    --
    Digital Citizen
  6. No they don't! by thegarbz · · Score: 4, Informative

    Not sure if this should be considered fake news or ignorance. What Apple have done is no different that any other device shipped with Secure Boot enabled by default, and it is just as configurable.

    Simply boot into MacOS via recovery mode and from there you can use the Startup Security Utility to configure the boot requirements by selecting
    a) only MacOS to boot,
    b) any signed certificate such as Microsoft's UEFI certificate which is also used by some Linux SecureBoot systems, or
    c) disable the check completely.

    https://support.apple.com/en-u...