T2 security chip blocking Linux from booting


(Curtis Wilcox) #1

Apple’s New Hardware With The T2 Security Chip Will Currently Block Linux From Booting - Phoronix

I understand the security benefits but I’m old school enough to believe that if I buy what meets the traditional definition of “a computer,” that means I own it and should be able to install a different OS. Not providing drivers or documentation for how new hardware works is one thing, preventing even booting is something else.


(Tommy Weir) #2

They certainly seem very proud of the T2 and its emerged with a central role in what Apple believe to be the definition of what a computer now is. Security is an Apple strength, can’t see them shying away from it. The T2 chip and its full role is still only becoming clear. Beyond security it handles audio and other aspects, preventing access to the mic when sleeping etc.

I’m sure there’ll be a Linux certificate much as Windows 10 has once someone works out what needs doing.


(Paul Schinder) #3

Trouble is, unlike Windows there isn’t a “Linux OS”, there are various and sundry Linux distributions, each with its own software, including kernel version. (The only one I’m using currently is Raspbian, but I’ve used various other flavors of Linux in the past, including versions on Macs.) Depending on what the T2 chip is doing, this might cause problems. And given the recent events in the Linux community and the possibility of a kernel fork, this might only get worse. Whatever Apple is allowing the T2 chip to do to interfere, they should allow the hardware owner to disable it.


(Curtis Wilcox) #4

The article refers to how this works with other PC manufacturers; Microsoft’s UEFI certificate authority is already used to sign some Linux distributions, Apple just hasn’t written their computers’ firmware to honor them. But they could and they could push that out in one of their firmware updates.

I don’t know how hard it would be for any specific Linux distribution to get signing. It’s also possible that it’s currently not done by the organizations responsible for a Linux distribution but by PC manufacturers that offer them as a preinstalled choice, i.e. “Red Hat” downloaded from that organization wouldn’t but a specific version offered by Dell for specific models would be signed by Dell.


(Tommy Weir) #5

That’ll be the interesting point of contention. Watch this space.


(Doug Miller) #6

iMore has an article that says that this may not be a thing. https://www.imore.com/no-apples-not-locking-you-out-linux-macs-t2-chip


(Curtis Wilcox) #7

Thanks, I should have remembered that firmware security screen, I had to use it to enable externally booting an IMac Pro.


#8

A new development that could get very interesting down the road. IBM, who has a longtime partnership with Apple, just bought Red Hat:

IBM to Buy Red Hat, the Top Linux Distributor, for $34 Billion


(paulc) #9

Only caveat is if your boot system is an array, it will not create any recovery partition. Remains to be seen how it might work in, say a cMP if you have one bootable but not primary boot drive installed drive.