Wednesday, November 7th 2018

Linux Won't Boot on New MacBook Air: Apple's T2 Security Chip Prevents It

The new MacBook Air with Retina display is overall a nice upgrade from the old versions of these laptops. There's one caveat, though: the new T2 chip that manages Touch ID's Secure Enclave, APFS storage encryption or UEFI Secure Boot validation will make it impossible to boot with a Linux distribution. Apple's T2 documentation (PDF) explicitly covers how the support for booting Linux is not available: the Microsoft Corporation UEFI CA 2011 certificate used also by Linux distributions isn't trusted at this moment, so the T2 chip will make it impossible to boot from Linux distributions. Only Windows is allowed to boot via Boot Camp at the moment.

Apple's Secure Boot support page shows how the new 'Startup Security Utility' can be used to disable Secure Boot, but some people have tried to boot Linux through this method and even with that change it's impossible to boot Linux. The problem extends to the rest of machines including the T2 Security Chip, like the Mac mini, the iMac Pro or the MacBook Pro 2018, for example. Apple hasn't made any comments on the issue.
Source: Phoronix
Add your own comment

16 Comments on Linux Won't Boot on New MacBook Air: Apple's T2 Security Chip Prevents It

#1
DeathtoGnomes
Apple's T2 documentation (PDF) explicitly covers how the support for booting Linux is not available: the Microsoft Corporation UEFI CA 2011 certificate used also by Linux distributions isn't trusted at this moment
I wonder how that got revoked. hmmm. :cool:
Posted on Reply
#2
Dragonsmonk
"DeathtoGnomes said:
I wonder how that got revoked. hmmm. :cool:
I wonder how long it will be until they get sued again for anti-competitive due to this.
Posted on Reply
#3
DeathtoGnomes
"Dragonsmonk said:
I wonder how long it will be until they get sued again for anti-competitive due to this.
no its a certificate trust issue, if this becomes a permanent problem, than yes that could happen. It could be a minor oversight on Apple's part or intentional on m$'s part not re-certifying the trust. I think its fishy either way.
Posted on Reply
#4
kastriot
Always some bull* with apple "computers" i wonder why? ;)
Posted on Reply
#5
StrayKAT
Not sure why anyone would want to run Linux on a Mac anyways. It already runs UNIX.. and lets you play Windows games at full speed to boot.
Posted on Reply
#6
bonehead123
hummm,,,,,, m$ not recertifying a trust certificate, surely nOt....

sounds kinda fruity to me, or at least another cleverly-designed marketing ploy created to keep their new machines in the headlines as long as possible :D

or, "T2", as in "Terminator 2", as in: all yinz linus users are belong to us, hehehe !
Posted on Reply
#7
efikkan
"StrayKAT said:
Not sure why anyone would want to run Linux on a Mac anyways. It already runs UNIX.. and lets you play Windows games at full speed to boot.
Just because something is UNIX based, doesn't make it automatically good. Even Nintendo consoles run UNIX, that doesn't mean you can do whatever you want with them.

Installing Linux on Macs is primarily a developer thing. In the beginning Mac OS X was fairly decent, but over the years it have become more and more locked down, buggy and technically outdated. For a while many developers still bought Macs to install Linux for the build quality, but even that has degraded lately. These days vendors like Lenovo, Dell and HP offer better solutions, so you can keep your hard-earned cash away from Apple.
Posted on Reply
#8
StrayKAT
"efikkan said:
Just because something is UNIX based, doesn't make it automatically good. Even Nintendo consoles run UNIX, that doesn't mean you can do whatever you want with them.

Installing Linux on Macs is primarily a developer thing. In the beginning Mac OS X was fairly decent, but over the years it have become more and more locked down, buggy and technically outdated. For a while many developers still bought Macs to install Linux for the build quality, but even that has degraded lately. These days vendors like Lenovo, Dell and HP all offer better solutions, so you can keep your hard-earned cash away from Apple.
I don't think Nintendo has released much about their Switch OS. Do you mean PS4? Because it is based off of BSD Unix.

In any case, consoles are turnkey machines, with no *nix userland tools or interface for them to speak of. Mac OS is a certified UNIX, with all of the userland to boot (and ability to add more from premade Darwin packages or other ports). The only thing you wouldn't do is run a different windowing environment, but why would you want to? That's kind of my point earlier. It already has the base of Unix stuff shared across most *nix systems, and a better window environment to begin with (which has it's own Mac ports anyways, like Libre/GIMP/etc).
Posted on Reply
#9
efikkan
"StrayKAT said:
I don't think Nintendo has released much about their Switch OS. Do you mean PS4? Because it is based off of BSD Unix.
Both Nintendo Switch and Wii is based on FreeBSD, just like PS4.

"StrayKAT said:

In any case, consoles are turnkey machines, with no *nix userland tools or interface for them to speak of. Mac OS is a certified UNIX, with all of the userland to boot (and ability to add more from premade Darwin packages or other ports). The only thing you wouldn't do is run a different windowing environment, but why would you want to? That's kind of my point earlier. It already has the base of Unix stuff shared across most *nix systems, and a better window environment to begin with (which has it's own Mac ports anyways, like Libre/GIMP/etc).
Apple is making it harder and harder to install what you want on Macs, like unsigned software. The bundled software is really not good enough, so most developers need at least a better terminal and git, probably their favorite text-editor or IDE, plus all the toolchains tied to whatever they're making. Apple is also deprecating various open standards and formats, including lately OpenGL. It's only a matter of time before more stuff stops working.

And then there is the GUI; every serious developer configure their OS over time to fit their workflow, and most developer's workflow also evolve over time. The possibilities and ease of customization in Linux is magnitudes over Windows and OS X. Switching desktop environment is of course one of those options; just among five of my colleges sitting closest to me I can find at least four different desktop environments on Linux, and each one made their choice based on convenience and workflow, not based on looks. It comes down to how people prefer to navigate between workspaces and windows, set up keyboard shortcuts etc. The possibilities to do this in Windows and OS X is very limited. Setting up a standard environment in Linux takes a few minutes, fresh Linux users usually starts out by using it like they are used to from Windows or OS X, but gradually starts to tweak it as they get accustomed to it. Then after years, going back feels like returning to the stone age, regardless of how "polished" some aspects of other OS' look. You need to use Linux for several years to fully understand this.
Posted on Reply
#10
Wavetrex
I wonder what happens if you carefully unsolder that chip off the motherboard?
Posted on Reply
#11
lexluthermiester
"Wavetrex said:
I wonder what happens if you carefully unsolder that chip off the motherboard?
System will not boot. That chip controls hardware startup routines.
Posted on Reply
#12
Easy Rhino
Linux Advocate
Gee, a security chip prevents unauthorized access to the walled garden. In other news, water is wet.
Posted on Reply
#13
texas64
The solution is to turn-off Secure Boot, which disables T2.
Posted on Reply
#14
Prima.Vera
Well, if you buy any Apple product you deserve to be the prisoner of your own possession. ;)
Posted on Reply
#15
lexluthermiester
"texas64 said:
The solution is to turn-off Secure Boot, which disables T2.
On an Apple product? Can that be done?
Posted on Reply
Add your own comment