Language Selection

English French German Italian Portuguese Spanish

Blocking Linux From Booting

Filed under
Linux
Mac
  • Don’t Panic, You Can Boot Linux on Apple’s New Devices

    Does Apple stop Linux from booting on its newly refreshed Mac Mini PC or MacBookAir laptops?

    That’s the claim currently circling the web‘s collective drain. The posit is that the new T2 ‘secure enclave’ chip Apple has baked in to its new models prevents Linux from booting.

    But is this actually true?

    Kinda. The answer is both “yes, technically” and “no, not completely”.

  • Apple's New Hardware With The T2 Security Chip Will Currently Block Linux From Booting

    Apple's MacBook Pro laptops have become increasingly unfriendly with Linux in recent years while their Mac Mini computers have generally continued working out okay with most Linux distributions due to not having to worry about multiple GPUs, keyboards/touchpads, and other Apple hardware that often proves problematic with the Linux kernel. But now with the latest Mac Mini systems employing Apple's T2 security chip, they took are likely to crush any Linux dreams.

    At least until further notice, these new Apple systems sporting the T2 chip will not be able to boot Linux operating systems. Apple's T2 security chip being embedded into their newest products provides a secure enclave, APFS storage encryption, UEFI Secure Boot validation, Touch ID handling, a hardware microphone disconnect on lid close, and other security tasks. The T2 restricts the boot process quite a bit and verifies each step of the process using crypto keys signed by Apple.

"...Blocking Linux From Booting"

  • Apple’s T2 Security Chip Is Currently Blocking Linux From Booting

    Linux enthusiasts must be knowing that one can run Linux distributions on Apple’s older hardware, including the MacBook Air. The quality of Apple’s solid hardware had even prompted Linux creator Linus Torvalds to use MacBook Air to run Linux in the past.

    However, the newer lineup Apple hardware is becoming increasingly hostile towards Linux. With the latest T2 security chip, Apple’s latest Mac Mini is stopping Linux from booting, as reported by Phoronix. I guess it would be safe to assume similar results on other newer Apple hardware.

Thom Holwerda's Take

  • Apple blocks Linux on new Macs with T2 security chips

    Right now, there is no way to run Linux on the new Mac hardware. Even if you disable Secure Boot, you can still only install macOS and Windows 10 - not Linux. Luckily, Linux users don't have to rely on Macs for good hardware anymore - there are tons of Windows laptops out there that offer the same level of quality with better specifications at lower prices that run Linux just fine.

The update

  • Apple T2 Security Chip removes Linux support from some newer Macs [Update]

    A reader has pointed out that it's possible to disable Secure Boot on T2-equipped devices making it possible to boot and install Linux distributions. To run Linux you must first access the Startup Security Utility and choose the 'No Security' option, here are the instructions on how to access to the utility...

Booting Linux On New Apple Hardware

  • Booting Linux On New Apple Hardware

    I ran across articles that point to the fact that Apple (with new hardware) is making it difficult to boot into Linux. This would seem to be a perpetuation of Microsoft and Apple attempting to "elbow" Linux aside. Whether true or not, I do not know.

    My viewpoint is simply a reflection of reading passing headlines. I don't know whether Microsoft and Apple are actually attempting to frustrate the adoption of Linux as a mainstream operating system. If they weren't; my guess would be that both Microsoft and Apple would have been working with the Linux community to have a (universal) secure boot option that would work with virtually all operating systems.

Macs to Linux fans: Stop right there

  • Macs to Linux fans: Stop right there, Penguinista scum, that's not macOS

    The knickers of the Linux world have become ever so twisty over the last few days as Penguinistas fell foul of the security hardware in their pricey Apple hardware.

    Reports are coming in of Linux fans struggling to get their distribution of choice to install on the latest Cupertino cash cows with fingers pointed at the T2 chip.

    The T2 does all manner of things in the latest batch of Macs (including the new MacBook Air and Mac mini models announced last week) including dealing with the SSD, audio, and secure boot. And it is with the latter that problems appear to be occurring.

Linux could be banned on Apple’s new Macs

  • Linux could be banned on Apple’s new Macs

    Apple recently announced their new Macs with powerful chipsets and enhanced security. The security has been beefed up with an Apple T2 Security Chip that provides a strong and Secure Enclave co-processor that is mainly responsible for TouchID, APFS storage encryption, UEFI Secure Boot validation, Touch ID handling, a hardware microphone disconnect on lid close, and others. This same chip also enables the secure boot feature on most new Apple computers, which could be a huge block for most Linux installations.

    A report by Phoronix states that the T2 Chip has been blocking Linux from booting and only allows Apple MacOS and Microsoft Windows OS to work well.

You can’t run Linux on Apple’s 2018 Macs

No, Apple's not locking you out of Linux

  • No, Apple's not locking you out of Linux on Mac with the T2 chip

    Apple's T2 Security Chip provides a lot of great features for the vast majority of people, including secure boot, real-time AES 256-bit data encryption, and even Touch ID authentication for MacBook Air and MacBook Pro. For them, it's on by default and should just be left on by default.

    Because of that security, it's led some power-users to believe that Apple is locking down T2 machines, including those MacBooks as well as the iMac Pro and new Mac mini, so completely you will no longer be able to do things like boot into Linux.

    My understanding is that you can, in fact, boot into Linux if you really want to. You just need to disable secure boot on your Mac first.

Microsoft holds the keys

  • Linux could be banned on Apple’s new Macs

    A report by Phoronix states that the T2 Chip has been blocking Linux from booting and only allows Apple MacOS and Microsoft Windows OS to work well.

    Apple explains that there is currently no trust provided for the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.

Apple's new bootloader won't let you install GNU/Linux

  • Apple's new bootloader won't let you install GNU/Linux

    Locking bootloaders with trusted computing is an important step towards protecting users from some of the most devastating malware attacks: by allowing the user to verify their computing environment, trusted computing can prevent compromises to operating systems and other low-level parts of their computer's operating environment.

    But as with every security measure, there's a difference between "secure for the user" and "secure against the user." Bootloader protection that doesn't allow an owner to decide which signatures they trust is security against the user: security that prevents the user from overriding the manufacturer, and so allows the manufacturer to lock the user in.

    Apple's latest bootloader protection, the controversial T2 chip, is a good example of this. The chip comes with a user-inaccessible root of trust that allows for the installation of Apple and Microsoft operating systems, but not GNU/Linux and other open and free alternatives.

What will Apple's T2 chip mean for the rest of us?

Apple Will Block Certain Third-Party Repairs

  • Apple’s T2 Security Chip Will Block Certain Third-Party Repairs, Users Might Have To Shell Significantly More For Repairs

    If you are a fan of Apple and a Gadget geek, you must be familiar with the T2 chip, which goes about as a co-processor in Apple’s devices and, is the key to a considerable lot of Apple’s freshest and most advanced features.

    Apple affirmed this is the situation for fixes including certain parts on more up to date Macs, similar to the rationale load up and Touch ID sensor, which is the first run through the organization has freely recognized the new fix necessities for T2 prepared Macs. In any case, Apple couldn’t give a rundown of fixes that required this or what gadgets were influenced. It additionally couldn’t state whether it started this convention with the iMac Pro’s presentation a year ago or if it’s another strategy organized as of late.

    The T2 is a customized component that performs different complex and essential functions such as preparing for Touch ID. It additionally stores the cryptographic keys important to boot the machines it keeps running on safely. According to Apple, the chip has new features, as well, for example, empowering the MacBook Pro to react to “Hello Siri” queries without expecting you to press a catch. It additionally keeps its workstation from being remotely worked on by programmers when the cover of the gadget is shut. Furthermore, the T2 chip is equipped for speaking with different segments with the end goal, to play out the simple most essential and advanced errands present day Macs are prepared to do.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's howtos

Ditching Out-of-Date Documentation Infrastructure

Long ago, the Linux kernel started using 00-Index files to list the contents of each documentation directory. This was intended to explain what each of those files documented. Henrik Austad recently pointed out that those files have been out of date for a very long time and were probably not used by anyone anymore. This is nothing new. Henrik said in his post that this had been discussed already for years, "and they have since then grown further out of date, so perhaps it is time to just throw them out." He counted hundreds of instances where the 00-index file was out of date or not present when it should have been. He posted a patch to rip them all unceremoniously out of the kernel. Joe Perches was very pleased with this. He pointed out that .rst files (the kernel's native documentation format) had largely taken over the original purpose of those 00-index files. He said the oo-index files were even misleading by now. Read more

Mozilla: Rust 1.32.0, Privacy, UX and Firefox Nightly

  • Announcing Rust 1.32.0
    The Rust team is happy to announce a new version of Rust, 1.32.0. Rust is a programming language that is empowering everyone to build reliable and efficient software.
  • Rust 1.32 Released With New Debugger Macro, Jemalloc Disabled By Default
    For fans of Rustlang, it's time to fire up rustup: Rust 1.32 is out today as the latest feature update for this increasingly popular programming language. The Rust 1.32 release brings dbg!() as a new debug macro to print the value of a variable as well as its file/line-number and it works with more than just variables but also commands.
  • Julien Vehent: Maybe don't throw away your VPN just yet...
    At Mozilla, we've long adopted single sign on, first using SAML, nowadays using OpenID Connect (OIDC). Most of our applications, both public facing and internal, require SSO to protect access to privileged resources. We never trust the network and always require strong authentication. And yet, we continue to maintain VPNs to protect our most sensitive admin panels. "How uncool", I hear you object, "and here we thought you were all about DevOps and shit". And you would be correct, but I'm also pragmatic, and I can't count the number of times we've had authentication bugs that let our red team or security auditors bypass authentication. The truth is, even highly experienced programmers and operators make mistakes and will let a bug disable or fail to protect part of that one super sensitive page you never want to leave open to the internet. And I never blame them because SSO/OAuth/OIDC are massively complex protocols that require huge libraries that fail in weird and unexpected ways. I've never reached the point where I fully trust our SSO, because we find one of those auth bypass every other month. Here's the catch: they never lead to major security incidents because we put all our admin panels behind a good old VPN.
  • Reflections on a co-design workshop
    Co-design workshops help designers learn first-hand the language of the people who use their products, in addition to their pain points, workflows, and motivations. With co-design methods [1] participants are no longer passive recipients of products. Rather, they are involved in the envisioning and re-imagination of them. Participants show us what they need and want through sketching and design exercises. The purpose of a co-design workshop is not to have a pixel-perfect design to implement, rather it’s to learn more about the people who use or will use the product, and to involve them in generating ideas about what to design. We ran a co-design workshop at Mozilla to inform our product design, and we’d like to share our experience with you. [...] Our UX team was tasked with improving the Firefox browser extension experience. When people create browser extensions, they use a form to submit their creations. They submit their code and all the metadata about the extension (name, description, icon, etc.). The metadata provided in the submission form is used to populate the extension’s product page on addons.mozilla.org.
  • Firefox Nightly: These Weeks in Firefox: Issue 51

Mesa 18.3.2

Mesa 18.3.2 is now available. In this release candidate we have added more PCI IDs for AMD Vega devices and a number of fixes for the RADV Vulkan drivers. On the Intel side we have a selection ranging from quad swizzles support for ICL to compiler fixes. The nine state tracker has also seen some love as do the Broadcom drivers. To top it all up, we have a healthy mount of build system fixes. Alex Deucher (3): pci_ids: add new vega10 pci ids pci_ids: add new vega20 pci id pci_ids: add new VegaM pci id Alexander von Gluck IV (1): egl/haiku: Fix reference to disp vs dpy Andres Gomez (2): glsl: correct typo in GLSL compilation error message glsl/linker: specify proper direction in location aliasing error Axel Davy (3): st/nine: Fix volumetexture dtor on ctor failure st/nine: Bind src not dst in nine_context_box_upload st/nine: Add src reference to nine_context_range_upload Bas Nieuwenhuizen (5): radv: Do a cache flush if needed before reading predicates. radv: Implement buffer stores with less than 4 components. anv/android: Do not reject storage images. radv: Fix rasterization precision bits. spirv: Fix matrix parameters in function calls. Caio Marcelo de Oliveira Filho (3): nir: properly clear the entry sources in copy_prop_vars nir: properly find the entry to keep in copy_prop_vars nir: remove dead code from copy_prop_vars Dave Airlie (2): radv/xfb: fix counter buffer bounds checks. virgl/vtest: fix front buffer flush with protocol version 0. Dylan Baker (6): meson: Fix ppc64 little endian detection meson: Add support for gnu hurd meson: Add toggle for glx-direct meson: Override C++ standard to gnu++11 when building with altivec on ppc64 meson: Error out if building nouveau and using LLVM without rtti autotools: Remove tegra vdpau driver Emil Velikov (13): docs: add sha256 checksums for 18.3.1 bin/get-pick-list.sh: rework handing of sha nominations bin/get-pick-list.sh: warn when commit lists invalid sha cherry-ignore: meson: libfreedreno depends upon libdrm (for fence support) glx: mandate xf86vidmode only for "drm" dri platforms meson: don't require glx/egl/gbm with gallium drivers pipe-loader: meson: reference correct library TODO: glx: meson: build dri based glx tests, only with -Dglx=dri glx: meson: drop includes from a link-only library glx: meson: wire up the dispatch-index-check test glx/test: meson: assorted include fixes Update version to 18.3.2 docs: add release notes for 18.3.2 Eric Anholt (6): v3d: Fix a leak of the transfer helper on screen destroy. vc4: Fix a leak of the transfer helper on screen destroy. v3d: Fix a leak of the disassembled instruction string during debug dumps. v3d: Make sure that a thrsw doesn't split a multop from its umul24. v3d: Add missing flagging of SYNCB as a TSY op. gallium/ttn: Fix setup of outputs_written. Erik Faye-Lund (2): virgl: wrap vertex element state in a struct virgl: work around bad assumptions in virglrenderer Francisco Jerez (5): intel/fs: Handle source modifiers in lower_integer_multiplication(). intel/fs: Implement quad swizzles on ICL+. intel/fs: Fix bug in lower_simd_width while splitting an instruction which was already split. intel/eu/gen7: Fix brw_MOV() with DF destination and strided source. intel/fs: Respect CHV/BXT regioning restrictions in copy propagation pass. Ian Romanick (2): i965/vec4/dce: Don't narrow the write mask if the flags are used Revert "nir/lower_indirect: Bail early if modes == 0" Jan Vesely (1): clover: Fix build after clang r348827 Jason Ekstrand (6): nir/constant_folding: Fix source bit size logic intel/blorp: Be more conservative about copying clear colors spirv: Handle any bit size in vector_insert/extract anv/apply_pipeline_layout: Set the cursor in lower_res_reindex_intrinsic spirv: Sign-extend array indices intel/peephole_ffma: Fix swizzle propagation Karol Herbst (1): nv50/ir: fix use-after-free in ConstantFolding::visit Kirill Burtsev (1): loader: free error state, when checking the drawable type Lionel Landwerlin (5): anv: don't do partial resolve on layer > 0 i965: include draw_params/derived_draw_params for VF cache workaround i965: add CS stall on VF invalidation workaround anv: explictly specify format for blorp ccs/mcs op anv: flush fast clear colors into compressed surfaces Marek Olšák (1): st/mesa: don't leak pipe_surface if pipe_context is not current Mario Kleiner (1): radeonsi: Fix use of 1- or 2- component GL_DOUBLE vbo's. Nicolai Hähnle (1): meson: link LLVM 'native' component when LLVM is available Rhys Perry (3): radv: don't set surf_index for stencil-only images ac/nir,radv,radeonsi/nir: use correct indices for interpolation intrinsics ac: split 16-bit ssbo loads that may not be dword aligned Rob Clark (2): freedreno/drm: fix memory leak mesa/st/nir: fix missing nir_compact_varyings Samuel Pitoiset (1): radv: switch on EOP when primitive restart is enabled with triangle strips Timothy Arceri (2): tgsi/scan: fix loop exit point in tgsi_scan_tess_ctrl() tgsi/scan: correctly walk instructions in tgsi_scan_tess_ctrl() Vinson Lee (2): meson: Fix typo. meson: Fix libsensors detection. Read more Also: Mesa 18.3.2 Released With Many Fixes As Users Encouraged To Upgrade