[nneonneo]

Please read Apple’s white paper on the security chip: https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overvi...

They provide a setting that lets you disable the boot security at will, allowing you to install Linux or any other alternative OS. Security features on macOS (as opposed to iOS) are generally optional, but enabled by default (as is the sensible choice).

They don’t provide you the ability to reprogram the T2 itself, which is a shame but not entirely without merit - compromising the T2 chip would be far more dangerous than compromising the OS in terms of persistence.

[HankB99]

I've read that the T2 chip also provides the mass storage interface and without documentation or drivers, Linux cannot be run from the internal drive. Devices with the T2 chip can be booted and run from USB connections with the security disabled but not an internal drive.

[nneonneo]

Yes, that's unfortunate - the lack of drivers means that Linux devs will once again have to reverse someone's proprietary software to develop their own drivers. It's not a fun state of affairs. Unfortunately, Apple is not likely to start fully supporting Linux on Mac hardware by providing drivers and documentation. But the point here is that they haven't done anything technically to prevent you from running Linux.

[floatboth]

From what I remember, it acts as a "normal" NVMe device and you can just add its PCI ID and see the disk in Linux…

but in 10 seconds after that it powers the system off because it detects something like an unauthorized OS. Sounds a bit like prevention.

[cmurf]

Unacceptable. The user must disable Secure Boot to run Linux, which means the system becomes vulnerable to bootkit attacks. And, the typical scenario will be a user who leaves it disabled, making both macOS and Linux and possibly Windows (if also installed) more vulnerable to bootkit attacks.

I'm quite sure Microsoft would be willing to provide Apple their UEFI public key, which is what pretty much all Linux shim bootloaders are signed with.

[geofft]

> Unacceptable. The user must disable Secure Boot to run Linux, which means the system becomes vulnerable to bootkit attacks.

I see this said a lot, and I find it baffling because so many Linux users demanded no secure boot at all - which is exactly the thing being called unacceptable now. (It's not just you; The Register, for instance, complained about how "malware or malicious users that gets onto your Mac can potentially alter the operating system to hide spyware right from startup" when secure boot is off, in an article otherwise complaining about how Apple must hate Linux users because secure boot is now on.) There is no increased risk of bootkit attacks to Linux users as a result of this change. There is simply a reduced risk to macOS users.

I do agree that a model (as MS implemented) where you can enroll your own keys would be better - but that would be a new feature. In the meantime, if every Macintosh from the 128K until today was acceptable, what changed?

[voltagex_]

I think that secure boot got maligned as non-removable options were conflated with the ones where you could enroll keys.

[nneonneo]

The white paper addresses this - the UEFI CA is not included in the secure enclave's trust store. This is intentional - the UEFI CA is used to sign bootloaders that don't perform chain-of-trust validation, meaning that if the secure enclave trusted the UEFI CA by default, then secure boot could be pretty trivially bypassed.

Sure, they could make things more secure by allowing you to add your own keys. You could go ahead and add the public key for your secure bootloader that does chain-of-trust validation, but the "typical scenario" would be a user adding a generic UEFI CA that leaves them open to a modified or malicious OS.

[solarkraft]

> But the "typical scenario" would be a user adding a generic UEFI CA that leaves them open to a modified or malicious OS

What's the downside (to allowing it)? Do they think they need to protect users from themselves?

[saagarjha]

> And, the typical scenario will be a user who leaves it disabled, making both macOS and Linux and possibly Windows (if also installed) more vulnerable to bootkit attacks.

No way. The typical user will leave it enabled because they will only use macOS.

[X-Istence]

Bootcamp will also install Microsoft's root for UEFI so that Windows 10 can run fully secure.

[userbinator]

So Apple will let you run macOS or Windows, but not Linux or anything else. Wow. This is the exact scenario the secure boot opponents several years ago were trying to stop.

[oarsinsync]

No, Apple will let you secure boot into macOS or Windows, and will allow you to disable secure boot so you can boot into Linux or anything else.