The knickers of the Linux world have become ever so twisty over the past few days as Penguinistas fell foul of the security hardware in their pricey Apple hardware.
Reports are coming in of Linux fans struggling to get their distribution of choice to install on the latest Cupertino cash cows with fingers pointed at the computers' built-in T2 security chip.
The T2 does all manner of things in the latest batch of Macs – including the new MacBook Air and Mac mini models announced last week – such as handling SSD storage, and secure boot. And it is with the latter that problems appear to be occurring.
Out of the box, the Mac doesn't like to boot anything that isn't cryptographically signed and sealed by Apple. It will start up in Recovery, Diagnostics, or Internet Recovery mode if it encounters a non-approved operating system, and that's about it. The machines will, by default, only trust code signed by Apple.
In the documentation for the T2 chip [PDF] kind old Cupertino concedes that people may want to use other, non-macOS, operating systems, and so you can use BootCamp to get Windows up and running, thanks to a copy of the Microsoft Windows Production CA 2011 certificate in the UEFI firmware.
The problems come when you want to run something that isn't Windows. In the past, Linux fans were able to make use of the Microsoft Corporation UEFI CA 2011. But not any more. According to Apple: "There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011."
This is bad news since, in Apple's words, "This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants." In other words, if you sign your Linux or BSD kernel, say, with this CA, it won't be accepted.
At this point Penguinistas would expect to be able to reach for the Apple Startup Security Utility, which provides the option to disable secure boot, and thus just get what operating system you want running. According to Apple, this option "does not enforce any requirements on the bootable OS," meaning the software pretty much on its own with the hardware.
T2, more like Terminator 2, for unofficial OSes
However, even with secure boot disabled, people have encountered issues with the T2 chip. For example, it apparently blocks the unofficial operating system from certain motherboard functions – including the internal SSD. It's claimed the T2 hides the flash drive from non-approved OSes, a rather showstopping-limitation for anyone hoping to install Linux, BSD, and so on. Basically, they can't work from internal storage.
Also, even if the internal SSD was visible, if secure boot is disabled, malware or malicious users that gets onto your Mac can potentially alter the operating system to hide spyware right from startup.
Alas, here at Vulture Central we do not have any shiny new Macs on which to verify the T2's roadblocks, and Apple, as one would expect, remains tight-lipped on the issue. However, we can report that Ubuntu runs an absolute treat on a Dell XPS.
Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible ideaREAD MORE
Microsoft also has a Secure Boot implementation. For a PC to be certified for Windows 10, it "must allow the user to completely disable Secure Boot," interestingly enough.
Linus Torvalds memorably declared his love for his MacBook Air back in 2014. That affection may have soured somewhat since Apple has continued to flex its muscles and exert ever more control over user's hardware. After all, Cupertino would be a lot happier if everything worked like an iPad.
Any Linux fan tempted to drop some big bucks on Apple's latest and greatest would be wise to consider holding off until things settle down, unless virtualization will do the job.
Otherwise the likes of Dell or Lenovo will happily sell you some kit more than capable of running the open-source OS. Or pretty much anything else you want.
It is your hardware, after all. ®