Apple blocking Linux installs on newest Macs with T2 chip

[Jito463]

https://www.theregister.co.uk/2018/11/06/apple_mac_linux_woes/

 

It seems that Apple isn't happy with people running Linux on their newest Macbook Air and Mac Mini models (presumably any new models with the T2 chip).  The MS cert that Linux users have been using to authenticate the UEFI boot on Macs is no longer accepted.

Quote

Out of the box, the Mac doesn't like to boot anything that isn't Apple approved. It will go into Recovery, Diagnostics or Internet Recovery mode, but anything else is a definite no-no. The machines will, by default, only trust content signed by Apple.

 

In documentation for the T2 chip (PDF) kind old Cupertino concedes that people might want to use other, non-Apple, operating systems and so you can use BootCamp to get Windows up and running thanks to a copy of the Microsoft Windows Production CA 2011 certificate in the UEFI firmware.

 

The problems come when you want to run something that isn't Windows. In the past, Linux fans were able to make use of the Microsoft Corporation UEFI CA 2011. But not any more. According to Apple: "There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011."

 

This is bad news since, in Apple's words, "This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants."

Normally, that wouldn't be much of an issue as one can typically disable Secure Boot via a utility, but apparently that no longer works.

Quote

At this point Penguinistas would expect to be able to reach for the Apple Startup Security Utility, which provides the option to boot with No Security. However, according to Apple, this option "does not enforce any requirements on the bootable OS".

 

Obviously, this has its downsides, but if you're savvy enough to try to put Linux on a Mac, you should understand the implications.

 

The problem is that, according to a posting on StackExchange, changing the Secure Boot option "makes no difference".

I find it ironic that everyone freaked out at MS when Secure Boot was implemented, because they thought it was an attempt to block the install of non-Windows operating systems; yet it ends up being Apple who does the blocking, despite MacOS being built on *Nix.  I've never been a fan of Apple, but I never thought of them as dumb.  However, they really seem to be making some dumb moves lately.

[DrMacintosh]

Well Secure boot only allows macOS and Windows to boot on the machine, anything else is considered a security risk. 

 

You can disable the T2 chip in all Macs that have it if you really need Linux on a MacBook for some reason and a VM won't do. 

[Jito463]

One minute, I think that's a new personal best for you.  

2 minutes ago, DrMacintosh said:

Well Secure boot only allows macOS and Windows to boot on the machine, anything else is considered a security risk.

Except that previously, it appears Linux users could use the MS cert to authenticate Linux while still using SB.  This is apparently no longer the case.

3 minutes ago, DrMacintosh said:

You can disable the T2 chip in all Macs that have it if you really need Linux on a MacBook for some reason and a VM won't do.

I haven't read up too much on it, but have they stated what the T2 chip actually does, and what the repercussions are of disabling it?

[Blademaster91]

I guess Linux is a "security risk" LOL.

What is more dumb IMO is them using security as an excuse to get rid of the data recovery port to save a few cents on build cost, sure security is nice to a point but too far when you can't recover anything from a dead machine.

[Drak3]

If you're buying ANY Mac device to install another OS to, you need to reevaluate your life decisions.

[DrMacintosh]

7 minutes ago, Blademaster91 said:

sure security is nice to a point but too far when you can't recover anything from a dead machine.

Ever heard of TimeMachine? Backup your data 

[DrMacintosh]

9 minutes ago, Jito463 said:

I haven't read up too much on it, but have they stated what the T2 chip actually does, and what the repercussions are of disabling it?

https://support.apple.com/en-us/HT208862

https://support.apple.com/en-us/HT208330

[Jito463]

2 minutes ago, DrMacintosh said:

https://support.apple.com/en-us/HT208330

According to this link, one should be able to use the Startup Security Utility to disable SB, but according to the article people were reporting that it doesn't work.

https://unix.stackexchange.com/questions/463422/2018-macbook-pro-tb-1tb-ssd

[NumLock21]

The F is it with The Register's title for this article?

 

 

[Jito463]

3 minutes ago, NumLock21 said:

The F is it with The Register's title for this article?

They were making a play on the guard quotes from TES IV: Oblivion, whenever you get caught breaking the law.

 

 

[Curufinwe_wins]

32 minutes ago, Drak3 said:

If you're buying ANY Mac device to install another OS to, you need to reevaluate your life decisions.

In fairness. Bootcamp is arguably a much superior option than the freeware alternatives for dual booting, and dual booting has a LOT of applications.

 

Truth be told, dual booting is literally the only application I have ever recommended an OS 10.X device for in the 5 or so years. The hardware and software are just too shitty (for the price) to recommend for anyone only using one OS.

[BlueChinchillaEatingDorito]

38 minutes ago, Blademaster91 said:

I guess Linux is a "security risk" LOL.

There's a lot that can go wrong with an Open Source OS. 

[Master Disaster]

3 hours ago, Drak3 said:

If you're buying ANY Mac device to install another OS to, you need to reevaluate your life decisions.

I think you're missing the point. Nobody buys a 2018 Mac to run Linux on it however in 2021 when Apple stop offering updates for the device running Linux is a great way of keeping an old device running latest version software.

 

Apple are effectively ensuring their old and unsupported devices are even more unsupported once they stop supporting them. Yet another way to force users running old hardware to chuck it away and upgrade.

 

There's something Jim Sterling always says about greedy game publishers that also applies to Apple. Every company wants more money, that's why they exist but these mega corporations aren't happy with just some money, they want all the money and unfortunately, because money isn't infinite they can't have all the money. The richest and greediest corporations all face a paradox, they're doing so well now and exactly because they're doing so well now means investors and shareholders expect more growth permanently but permanent growth is impossible because as I've already said, there isn't infinite money so there has to come a point where, they've pulled every stunt and burned every bridge and yet are still "unsuccessful" in the eyes of the investors and shareholders. That doesn't necessarily mean they're unprofitable either, they can still be making money every month but because its not actual growth they're still classed as unsuccessful non the less.

 

Apple are rapidly approaching that point, that's why they're resorting to increasingly underhanded tactics to force users to upgrade older hardware, they have to maintain that growth, even a plateau would be considered failure in the eyes of the business world.

[Linus_torvalds]

LOL who buys macbooks for linux is dumb! First of all those machines are so weak, they have the worst build quality! Second there exists legendary thinkpad series, which cost less then macbooks with much better hardware and run linux prety well AND are much more good looking! Fuck apple!

 

But i must admit every time apple makes such moves to limit their users, or raises prices for their product i like it! Because their customers deserve all that and even worse! GG apple!

[Mooshi]

Remember when Celeb nudes were leaked because of Linux? Man, what a security ris- oh wait.

[Guest]

The MacOS kernel is open source as well so I don't think that situation is against open source or Linux, I don't think there is some sort of apple conspiracy.

That just means new certificates are required and maybe not today but they'll surely do that in the future, like Microsoft did with secure boot.

[Guest]

Wouldn’t have been able to install Linux on them anyway.

[Bananasplit_00]

2 hours ago, mate_mate91 said:

they have the worst build quality!

maybe the newer ones, but the 2015 and back ones are really nice at least. mom has had a 2012 and a 2015 and they feel really goood. the OS in unbareable and the specs for the price are garbage but they feel nice to hold and look pretty good too

[Linus_torvalds]

6 minutes ago, Bananasplit_00 said:

maybe the newer ones, but the 2015 and back ones are really nice at least.

LOL they were Designed to break!

 

[Sauron]

3 hours ago, Drak3 said:

If you're buying ANY Mac device to install another OS to, you need to reevaluate your life decisions.

Maybe so, but it's still not very nice... plus, if you want to keep using it beyond the product's end of life (with OS updates) Linux has always been a good option.

[Dabombinable]

39 minutes ago, Sauron said:

Maybe so, but it's still not very nice... plus, if you want to keep using it beyond the product's end of life (with OS updates) Linux has always been a good option.

Its staggering when you realise just how many old computers are actually still useful if updated to a Linux Distro. Even old Celeron M or Pentium IV laptops.

[captain_to_fire]

4 hours ago, Jito463 said:

I find it ironic that everyone freaked out at MS when Secure Boot was implemented, because they thought it was an attempt to block the install of non-Windows operating systems; yet it ends up being Apple who does the blocking, despite MacOS being built on *Nix.  I've never been a fan of Apple, but I never thought of them as dumb.  However, they really seem to be making some dumb moves lately.

I don't really see this as a problem when it can be disabled. 

[Salv8 (sam)]

5 hours ago, DrMacintosh said:

Well Secure boot only allows macOS and Windows to boot on the machine, anything else is considered a security risk. 

anything else is considered a security risk. 

a security risk.

linux users...

go ahead...

i can't be bothered to argue against this...

i'm tired of this stuff, i can't continue on...

thank you, thank you, ill be here all week!!!

[ScratchCat]

4 hours ago, DrMacintosh said:

Ever heard of TimeMachine? Backup your data 

As you have experienced, Time Machine isn't 100% reliable. Just because you have a second option does not mean you should get rid of the first.

4 hours ago, BlueChinchillaEatingDorito said:

There's a lot that can go wrong with an Open Source OS. 

A lot has gone and will continue to go wrong with every major OS, regardless of being open source or not.

[Syntaxvgm]

Can't you disable the secure boot? lol