New MacBooks can't load Linux due to T2 chip
Linux enthusiasts often install a free OS on Apple hardware, including the MacBook Air. So they get a double benefit: and a convenient operating system from the usual distribution, and the reliability of Apple hardware, Even Linus Torvalds used to use the MacBook Air before.
However, these happy times may remain in the past. The new line of Apple equipment has become more hostile to Linux. The problem is the new security chip T2 , which Apple has added to the latest models of their computers. It effectively blocks the download of Linux on the Mac Mini, reports the publication of the Linux-community Phoronix. Apparently, a similar situation on other models of computers where this chip is installed.
The T2 security chip is responsible for encrypting the APFS storage, checking for UEFI secure boot, Touch ID processing, disabling the hardware microphone when closing the laptop lid, and other security tasks. T2 slightly limits the boot process and checks each step of the process with Apple-signed cryptographic keys.
Now with the loading of alternative operating systems there are difficulties. By default, even Microsoft Windows does not load on new Apple systems until Windows support is enabled through the Boot Camp Assistant software on macOS. This tool will install the Windows Production CA 2011 certificate that is used to authenticate the Microsoft bootloaders. But he doesn’t install a Microsoft-approved UEFI certificate that allows code verification by Microsoft partners, including the one used to sign Linux distributions that want to have UEFI SecureBoot support for Windows computers.
Apple T2 Documentationmakes this fact clear and explicitly mentions Linux: “There is currently no trust chain for Microsoft Corporation UEFI CA 2011, which allows verification of code signed by Microsoft partners. This UEFI CA is usually used to authenticate boot loaders for other operating systems, such as Linux variants, ”the document says.
In other words, until Apple decides to add this certificate or the T2 chip is not hacked, so that it can be completely disabled or allowed to load arbitrary keys - until then, it will be difficult to download Linux distributions on the new Apple hardware.
Apple Technical Support has posted an explanation.However, alternative operating systems can still be downloaded if you completely disable the secure boot feature of Secure Boot when booting via the Startup Security Utility in macOS Recovery mode.
One would assume that disabling safe booting without problems will allow Linux to boot, but this is not the case. Users report that even in this version, the T2 chip still blocks all operating systems, except macOS and Windows 10. This is rather strange, because when you set the No Security parameter in macOS Secure Boot, it is stated that it does not impose any requirements on your boot disk security.
The T2 chip is built into the latest branded notebooks, including the MacBook Pro introduced at the beginning of the year and the recently announced MacBook Air. In addition, it is used in portable models of the Mac Mini.
Apple claims that T2 provides an “unprecedented” level of security for the Mac. However, not everyone liked the innovation. Some developers express discontent. For example, the author of the application Macs Fan Control saysthat now his program will not work under Windows on iMac Pro and MacBook Pro 2018 computers: “Additional security is great (although we did not ask for it), but only when these restrictions are not mandatory, and an experienced user can disable. Unfortunately, Apple is wrong: it is increasingly moving towards prohibitions and restrictions, which is not good for experienced users and developers. It seems that the T2 chip blocks access to SMC under Windows, and this controller is needed to obtain sensor values and information about coolers. ”
Despite registration of the corresponding ticket on GitHub , the developer asks not to hope that the problem will be solved.