Apple's New Hardware with the T2 Security Chip Will Currently Block Linux from Booting

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Phoronix is reporting that Linux will not boot on any Apple device that utilizes the T2 security chip. Due to the lack of a certificate, only macOS and Windows 10 are supported at this time. Linux will not install even if the Security Boot functionality is disabled.

Apple's T2 security chip being embedded into their newest products provides a secure enclave, APFS storage encryption, UEFI Secure Boot validation, Touch ID handling, a hardware microphone disconnect on lid close, and other security tasks. The T2 restricts the boot process quite a bit and verifies each step of the process using crypto keys signed by Apple.
 
I'm bothered by this in principle, but it doesn't affect me as I was never going to buy Apple hardware anyway.

IMHO, I think it should be illegal to lock boot loaders on any device. Once you buy a device it is yours, and you should have the freedom to rub whatever operating system or software on it you please.
 
Zarathustra[H] said:
I'm bothered by this in principle, but it doesn't affect me as I was never going to buy Apple hardware anyway.

IMHO, I think it should be illegal to lock boot loaders on any device. Once you buy a device it is yours, and you should have the freedom to rub whatever operating system or software on it you please.
Click to expand...
The freedom to do as you wish is an important sentiment, but a sarcastic "good luck" is the reality. Don't buy into flawed designs in the first place. Just because we throw money at a product doesn't grant us any power to dictate how it should function. While locked bootloaders are annoying, it's been a common practice for a very long time -- especially in the video game console arena.
 
Who in their right mind would chose a modern Apple machine to put anything on, let alone Lunix the Good? So no problem here. ;)
 
If you were into dual booting Linux/MacOS anyway, why wouldn't you just go the extra step and make a Hackintosh? I've thought about doing it just to get a feeling for how MacOS works; sure as hell not going to shell out a few grand just to tinker with an OS.
 
spintroniX said:
If you were into dual booting Linux/MacOS anyway, why wouldn't you just go the extra step and make a Hackintosh? I've thought about doing it just to get a feeling for how MacOS works; sure as hell not going to shell out a few grand just to tinker with an OS.
Click to expand...

I put one together quite a while ago. As a longtime user of the Slackware Lunix Disturbation it was such a step down, and really a dog's breakfast of *nix and whatever the hell the rest is. It got deleted rather quickly.
 
velusip said:
The freedom to do as you wish is an important sentiment, but a sarcastic "good luck" is the reality. Don't buy into flawed designs in the first place. Just because we throw money at a product doesn't grant us any power to dictate how it should function. While locked bootloaders are annoying, it's been a common practice for a very long time -- especially in the video game console arena.
Click to expand...
As far as I am concerned you should be able to do what ever you want want with the stuff you buy but it should void your warranty. No company should be responsible to repair/replace something you bricked. If they do cool but shouldn't be expected.
 
You know this is going to actually upset a whole lot of developers that run Ubuntu on Apple gear. Not joking, this is them shitting on their clients.
 
PenGunn said:
Who in their right mind would chose a modern Apple machine to put anything on, let alone Lunix the Good? So no problem here. ;)
Click to expand...
#1 if I buy something I expect to be able to use it
#2 "modern" very quickly becomes old and people soon find the latest and greatest update of Windows/OSX locks them out of what they thought was decent hardware. They either shell out to keep the upgrade cycle alive OR re-purpose it. This is the area that linux is 2nd to none but we are now entering a era what what you buy isn't yours. It will be bypassed somehow but this is a dick move


header.png

1.png

2.png

3.png

4.png


http://theoatmeal.com/comics/apple
 
BloodyIron said:
You know this is going to actually upset a whole lot of developers that run Ubuntu on Apple gear. Not joking, this is them shitting on their clients.
Click to expand...

There is something fundamentally funny about running Ubuntu on a Mac. ;) "It just works". mWhahaha
 
ryamkajr said:
Actually it IS very much on Apple. They are taking the permission away.
Click to expand...

No, they are attempting to make the device more secure, does anyone really think Apple gives a shit if someone boots Linux or not?

If Apple was attempting to lock down the platform, then Windows would not boot either. If the Linux community would pull it's head out of it's ass and pull the sled in one direction, they would have a security certificate that would allow Linux to boot with the T2 chip.
 
  • Like
Reactions: DocNo
like this
Apple could care less if their devices boot Linux. I'm going to theorize (aka make some numbers up) - but the majority of people that buy a Mac will have no interest in putting Linux on it in the first place.

Should they have the right to do so? I think the answer is yes, it's your device once you buy it. If Apple stops supporting your device, perhaps a Linux distro will keep your hardware going.

I use a Mac for work and have to say it is a great development platform. I use Parallels to run Windows 10 (Visual Studio plus other software I use for Windows). Xcode is a nice dev platform for iOS. Android Studio works find on Mac. I spend the a lot of my day with Terminal (shell).
I also have Docker for my Linux needs (MySQL, PHP, etc).

I would also argue that a Mac is an expensive option for a Linux device. There are cheaper options with similar spec'd hardware.
 
BloodyIron said:
Some people prefer the hardware and run what they want on it.
Click to expand...

Then don't buy Mac's but instead by the hardware that does so? What's so hard about that concept?

If I only want to buy something that runs macOS, and Apple provides hardware that more securely runs macOS but won't let Linux run then who the fuck cares? It's not like the majority of people in this thread bitching about this were going to buy Mac's anyway, by their own admission.

This is something about tech that I NEVER understand. Why is so threatening about someone doing something different than what you like that you have to ridicule or demand that a product (that you state you will never buy!) should be forced to support your whim anyway?

What the hell? You don't like Mac's. Got it. Continue to not buy them. Apple certainly doesn't care.

Not every company is a good company to buy from - well, not every customer is good customer either. The worst companies are those who think they can be all things to all people.

If Apple sent out the goon squad to confiscate all non-Apple hardware then I might be able to see the fuss in this thread. But they don't. So just suck it up and accept that Apple doesn't give a flying fuck about your whims and buy from some other vendor that will be more than happy to cater to your whims. There certainly are enough other vendors out there who will be more than happy to do so.

I thought diversity was our strength :rolleyes:
 
BloodyIron said:
Some people prefer the hardware and run what they want on it.
Click to expand...
Well, it is all x86-64 equipment anyways.
Is there something that Apple hardware does (EFI vs UEFI?) that other x86-64 equipment does not?

I'm legitimately asking, as all-in-one units like the iMac are pretty easy to come by that nearly all branches of GNU/Linux fully support.
Apple has always had very locked down hardware, and this is just one step closer to them having a fully closed environment - makes me wonder if this is another preliminary step by Apple to shift their hardware (and user-base) away from x86-64 in order to migrate to ARM64 (frog in boiling pot technique).

btw, I used to run Ubuntu 10.04LTS on my Apple PowerBook G4 back in 2010, so I can understand a bit where you are coming from. ;)
 
NemesisX said:
The thread title literally answers your question.
Click to expand...
No shit, they have a T2 Security Chip, which does not answer the question I asked - you don't need to act like an asshole. :meh:
I was legitimately asking BloodyIron what made Apple x86-64 based systems special compared to standard "PC" x86-64 systems.
 
NemesisX said:
There’s nothing inherently different except the addition of the chip.
Click to expand...
The point of my question to BloodyIron was basically that if there is a difference that Linux devs needed on Apple hardware that they are unable to get from standard "PC" hardware, to what extent it would effect them.
The "addition of the T2 Security Chip" does not answer my question, nor did it have anything to do with it, so I have no clue why you would post such an asinine response.
 
NemesisX said:
This is simply a matter of Apple not allowing Linux to boot. It’s up to Apple to provide the proper certificate to allow Linux to boot as a secondary OS. Windows doesn’t work by default until the certificate is provided via Boot Camp. Disabling the chip disables access to internal storage, which makes installing Linux, or anything for that matter, impossible. Apple needs to provide the proper certificate(s) for Linux to be bootable, but I don’t see that happening anytime soon. There’s nothing Linux devs can do to circumvent this.
Click to expand...
That is literally what the article, which I read, stated.
That also does not answer the question I asked, and again, had anything to do with it.

To respond to your statements, specifically, this is only being implemented in the newest Apple hardware, so users with existing Apple systems out there should have little to worry about with this.
It is Apple's hardware, and they can do what they want with it, much like Sony, Microsoft, and Nintendo do with their hardware as well - you are right, there is little to nothing Linux devs can do about this other than attempt to bypass it, if possible, though that could void the warranty on such devices as well.

This also officially makes all x86-64 based Apple systems proprietary PCs, much as the PC-98, original XBox, were and the PS4 and XBone are now.
I really do believe this is one more step in Apple's plan to move forward with getting people away from x86-64 and more towards their own in-house ARM64 CPUs and systems - come 2020, we will know for sure.
 
They shuffled all the pro users off a while ago, and were pretty blunt about it. Now its the linux and app developers turn.

Apple doesn't want to be a PC company. They are a consumer electronics company.
 
vegeta535 said:
As far as I am concerned you should be able to do what ever you want want with the stuff you buy but it should void your warranty. No company should be responsible to repair/replace something you bricked. If they do cool but shouldn't be expected.
Click to expand...

I'm fine if they don't cover failed third party software installs, as long as they aren't allowed to reject coverage for actual hardware failures because of it.

They should have to prove that any failure they decline coverage for is not hardware related
 
BloodyIron said:
You know this is going to actually upset a whole lot of developers that run Ubuntu on Apple gear. Not joking, this is them shitting on their clients.
Click to expand...
Just run it in a VM.... Parallels does a fine job, this is not a Mac problem if a Linux distro wants their stuff to run on Mac they can go through Apple’s validation process and get their digital signing. This basically just Apples own UEFI v.2.
 
apple:
how can we find another way to get money by providing more annoying product wit functionality removed..
- lets removed the well working minijack
- lets charge for os to be able to be installed
 
Lakados said:
Just run it in a VM.... Parallels does a fine job, this is not a Mac problem if a Linux distro wants their stuff to run on Mac they can go through Apple’s validation process and get their digital signing. This basically just Apples own UEFI v.2.
Click to expand...

Uhis is bassically the "protection money" in a new way.
"You have to pay for us to not interfere with your business that run perfect before we arrived"

How hard is to give the customer an option to disable it?
 
What's with a T2 security chip?

I was always told, unlike a PC, Apple products couldn't be hacked or infected.

Or was that then?
 
Where exactly did I demand something? I didn't demand anything, I simply said there are people that are going to be upset about this.

For literally decades people have bought Apple laptops/etc and put Linux on it. They know there's no promise or guarantee of it working on there, but that's their choice.

You're the one putting words in their mouths about "demanding" things...

DocNo said:
Then don't buy Mac's but instead by the hardware that does so? What's so hard about that concept?

If I only want to buy something that runs macOS, and Apple provides hardware that more securely runs macOS but won't let Linux run then who the fuck cares? It's not like the majority of people in this thread bitching about this were going to buy Mac's anyway, by their own admission.

This is something about tech that I NEVER understand. Why is so threatening about someone doing something different than what you like that you have to ridicule or demand that a product (that you state you will never buy!) should be forced to support your whim anyway?

What the hell? You don't like Mac's. Got it. Continue to not buy them. Apple certainly doesn't care.

Not every company is a good company to buy from - well, not every customer is good customer either. The worst companies are those who think they can be all things to all people.

If Apple sent out the goon squad to confiscate all non-Apple hardware then I might be able to see the fuss in this thread. But they don't. So just suck it up and accept that Apple doesn't give a flying fuck about your whims and buy from some other vendor that will be more than happy to cater to your whims. There certainly are enough other vendors out there who will be more than happy to do so.

I thought diversity was our strength :rolleyes:
Click to expand...
 
Well, one of the most notable features is the advent of Thunderbolt 1/2/3 earlier than other systems, plus at times higher built quality from a chassis/component perspective vs alternative options on the market.

It's not like they can't get similar systems elsewhere, but it can be at times down to preference (subjective), more than objective reasoning. (looks good? is lighter? etc)

Red Falcon said:
Well, it is all x86-64 equipment anyways.
Is there something that Apple hardware does (EFI vs UEFI?) that other x86-64 equipment does not?

I'm legitimately asking, as all-in-one units like the iMac are pretty easy to come by that nearly all branches of GNU/Linux fully support.
Apple has always had very locked down hardware, and this is just one step closer to them having a fully closed environment - makes me wonder if this is another preliminary step by Apple to shift their hardware (and user-base) away from x86-64 in order to migrate to ARM64 (frog in boiling pot technique).

btw, I used to run Ubuntu 10.04LTS on my Apple PowerBook G4 back in 2010, so I can understand a bit where you are coming from. ;)
Click to expand...
 
Parallels is actually quite awesome, but that doesn't mean it's the same as bare metal.

Lakados said:
Just run it in a VM.... Parallels does a fine job, this is not a Mac problem if a Linux distro wants their stuff to run on Mac they can go through Apple’s validation process and get their digital signing. This basically just Apples own UEFI v.2.
Click to expand...
 
Zarathustra[H] said:
I'm bothered by this in principle, but it doesn't affect me as I was never going to buy Apple hardware anyway.

IMHO, I think it should be illegal to lock boot loaders on any device. Once you buy a device it is yours, and you should have the freedom to rub whatever operating system or software on it you please.
Click to expand...
I only have one issue with this, and it may not apply to you, but here goes...

You are free to do with it whatever you want. Apple just makes it harder for you to do it (in this case, in the name of "security"). You wouldn't normally complain about a gate henge that had a cover plate to prevent tampering, because you know it was made that way to keep people from getting through the gate without opening the lock. If it prevented you from doing something you want, you'd get another gate/henge or you'd hack it.
 
SvenBent said:
If that works I dont really see the issue here
Click to expand...
The biggest issue is the T2 chips blocking of 3’rd party hardware forcing you to purchase authentic apple replacement parts essentially killing off most of the DIY Apple repairs and if a few years down the road Apple requires the T2 chip for the OS it would really shake up the Hackintosh community.
 
Lakados said:
The biggest issue is the T2 chips blocking of 3’rd party hardware forcing you to purchase authentic apple replacement parts essentially killing off most of the DIY Apple repairs and if a few years down the road Apple requires the T2 chip for the OS it would really shake up the Hackintosh community.
Click to expand...

So its not blocking Mac HW for not auth software
It could potential block for Mac SW running and standard HW ?
 
SvenBent said:
So its not blocking Mac HW for not auth software
It could potential block for Mac SW running and standard HW ?
Click to expand...
I am not sure yet on the specifics, but I am remote and I have a lot of Apple products running on my sites, I am remote so the nearest Apple authorized repair center is a LOOOOOONG way away and we don't use it so I do the repairs in house, so you bet I am following this closely, but here is a snipit from theVerge from an interview with iFixit.

The T2 is “a guillotine that [Apple is] holding over” product owners, iFixit CEO Kyle Wiens told The Verge over email. That’s because it’s the key to locking down Mac products by only allowing select replacement parts into the machine when they’ve come from an authorized source — a process that the T2 chip now checks for during post-repair reboot. “It’s very possible the goal is to exert more control over who can perform repairs by limiting access to parts,” Wiens said. “This could be an attempt to grab more market share from the independent repair providers. Or it could be a threat to keep their authorized network in line. We just don’t know.”
 
You must log in or register to reply here.
Back
Top