Language Selection

English French German Italian Portuguese Spanish

Blocking Linux From Booting

Filed under
Linux
Mac
  • Don’t Panic, You Can Boot Linux on Apple’s New Devices

    Does Apple stop Linux from booting on its newly refreshed Mac Mini PC or MacBookAir laptops?

    That’s the claim currently circling the web‘s collective drain. The posit is that the new T2 ‘secure enclave’ chip Apple has baked in to its new models prevents Linux from booting.

    But is this actually true?

    Kinda. The answer is both “yes, technically” and “no, not completely”.

  • Apple's New Hardware With The T2 Security Chip Will Currently Block Linux From Booting

    Apple's MacBook Pro laptops have become increasingly unfriendly with Linux in recent years while their Mac Mini computers have generally continued working out okay with most Linux distributions due to not having to worry about multiple GPUs, keyboards/touchpads, and other Apple hardware that often proves problematic with the Linux kernel. But now with the latest Mac Mini systems employing Apple's T2 security chip, they took are likely to crush any Linux dreams.

    At least until further notice, these new Apple systems sporting the T2 chip will not be able to boot Linux operating systems. Apple's T2 security chip being embedded into their newest products provides a secure enclave, APFS storage encryption, UEFI Secure Boot validation, Touch ID handling, a hardware microphone disconnect on lid close, and other security tasks. The T2 restricts the boot process quite a bit and verifies each step of the process using crypto keys signed by Apple.

"...Blocking Linux From Booting"

  • Apple’s T2 Security Chip Is Currently Blocking Linux From Booting

    Linux enthusiasts must be knowing that one can run Linux distributions on Apple’s older hardware, including the MacBook Air. The quality of Apple’s solid hardware had even prompted Linux creator Linus Torvalds to use MacBook Air to run Linux in the past.

    However, the newer lineup Apple hardware is becoming increasingly hostile towards Linux. With the latest T2 security chip, Apple’s latest Mac Mini is stopping Linux from booting, as reported by Phoronix. I guess it would be safe to assume similar results on other newer Apple hardware.

Thom Holwerda's Take

  • Apple blocks Linux on new Macs with T2 security chips

    Right now, there is no way to run Linux on the new Mac hardware. Even if you disable Secure Boot, you can still only install macOS and Windows 10 - not Linux. Luckily, Linux users don't have to rely on Macs for good hardware anymore - there are tons of Windows laptops out there that offer the same level of quality with better specifications at lower prices that run Linux just fine.

The update

  • Apple T2 Security Chip removes Linux support from some newer Macs [Update]

    A reader has pointed out that it's possible to disable Secure Boot on T2-equipped devices making it possible to boot and install Linux distributions. To run Linux you must first access the Startup Security Utility and choose the 'No Security' option, here are the instructions on how to access to the utility...

Booting Linux On New Apple Hardware

  • Booting Linux On New Apple Hardware

    I ran across articles that point to the fact that Apple (with new hardware) is making it difficult to boot into Linux. This would seem to be a perpetuation of Microsoft and Apple attempting to "elbow" Linux aside. Whether true or not, I do not know.

    My viewpoint is simply a reflection of reading passing headlines. I don't know whether Microsoft and Apple are actually attempting to frustrate the adoption of Linux as a mainstream operating system. If they weren't; my guess would be that both Microsoft and Apple would have been working with the Linux community to have a (universal) secure boot option that would work with virtually all operating systems.

Macs to Linux fans: Stop right there

  • Macs to Linux fans: Stop right there, Penguinista scum, that's not macOS

    The knickers of the Linux world have become ever so twisty over the last few days as Penguinistas fell foul of the security hardware in their pricey Apple hardware.

    Reports are coming in of Linux fans struggling to get their distribution of choice to install on the latest Cupertino cash cows with fingers pointed at the T2 chip.

    The T2 does all manner of things in the latest batch of Macs (including the new MacBook Air and Mac mini models announced last week) including dealing with the SSD, audio, and secure boot. And it is with the latter that problems appear to be occurring.

Linux could be banned on Apple’s new Macs

  • Linux could be banned on Apple’s new Macs

    Apple recently announced their new Macs with powerful chipsets and enhanced security. The security has been beefed up with an Apple T2 Security Chip that provides a strong and Secure Enclave co-processor that is mainly responsible for TouchID, APFS storage encryption, UEFI Secure Boot validation, Touch ID handling, a hardware microphone disconnect on lid close, and others. This same chip also enables the secure boot feature on most new Apple computers, which could be a huge block for most Linux installations.

    A report by Phoronix states that the T2 Chip has been blocking Linux from booting and only allows Apple MacOS and Microsoft Windows OS to work well.

You can’t run Linux on Apple’s 2018 Macs

No, Apple's not locking you out of Linux

  • No, Apple's not locking you out of Linux on Mac with the T2 chip

    Apple's T2 Security Chip provides a lot of great features for the vast majority of people, including secure boot, real-time AES 256-bit data encryption, and even Touch ID authentication for MacBook Air and MacBook Pro. For them, it's on by default and should just be left on by default.

    Because of that security, it's led some power-users to believe that Apple is locking down T2 machines, including those MacBooks as well as the iMac Pro and new Mac mini, so completely you will no longer be able to do things like boot into Linux.

    My understanding is that you can, in fact, boot into Linux if you really want to. You just need to disable secure boot on your Mac first.

Microsoft holds the keys

  • Linux could be banned on Apple’s new Macs

    A report by Phoronix states that the T2 Chip has been blocking Linux from booting and only allows Apple MacOS and Microsoft Windows OS to work well.

    Apple explains that there is currently no trust provided for the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.

Apple's new bootloader won't let you install GNU/Linux

  • Apple's new bootloader won't let you install GNU/Linux

    Locking bootloaders with trusted computing is an important step towards protecting users from some of the most devastating malware attacks: by allowing the user to verify their computing environment, trusted computing can prevent compromises to operating systems and other low-level parts of their computer's operating environment.

    But as with every security measure, there's a difference between "secure for the user" and "secure against the user." Bootloader protection that doesn't allow an owner to decide which signatures they trust is security against the user: security that prevents the user from overriding the manufacturer, and so allows the manufacturer to lock the user in.

    Apple's latest bootloader protection, the controversial T2 chip, is a good example of this. The chip comes with a user-inaccessible root of trust that allows for the installation of Apple and Microsoft operating systems, but not GNU/Linux and other open and free alternatives.

What will Apple's T2 chip mean for the rest of us?

Apple Will Block Certain Third-Party Repairs

  • Apple’s T2 Security Chip Will Block Certain Third-Party Repairs, Users Might Have To Shell Significantly More For Repairs

    If you are a fan of Apple and a Gadget geek, you must be familiar with the T2 chip, which goes about as a co-processor in Apple’s devices and, is the key to a considerable lot of Apple’s freshest and most advanced features.

    Apple affirmed this is the situation for fixes including certain parts on more up to date Macs, similar to the rationale load up and Touch ID sensor, which is the first run through the organization has freely recognized the new fix necessities for T2 prepared Macs. In any case, Apple couldn’t give a rundown of fixes that required this or what gadgets were influenced. It additionally couldn’t state whether it started this convention with the iMac Pro’s presentation a year ago or if it’s another strategy organized as of late.

    The T2 is a customized component that performs different complex and essential functions such as preparing for Touch ID. It additionally stores the cryptographic keys important to boot the machines it keeps running on safely. According to Apple, the chip has new features, as well, for example, empowering the MacBook Pro to react to “Hello Siri” queries without expecting you to press a catch. It additionally keeps its workstation from being remotely worked on by programmers when the cover of the gadget is shut. Furthermore, the T2 chip is equipped for speaking with different segments with the end goal, to play out the simple most essential and advanced errands present day Macs are prepared to do.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Programming: Django, PHP, Polonius and More

  • Django 2.2 alpha 1 released
    Django 2.2 alpha 1 is now available. It represents the first stage in the 2.2 release cycle and is an opportunity for you to try out the changes coming in Django 2.2. Django 2.2 has a salmagundi of new features which you can read about in the in-development 2.2 release notes.
  • Eliminating PHP polyfills
    The Symfony project has recently created a set of pure-PHP polyfills for both PHP extensions and newer language features. It allows developers to add requirements upon those functions or language additions without increasing the system requirements upon end users. For the most part, I think this is a good thing, and valuable to have. We've done similar things inside MediaWiki as well for CDB support, Memcached, and internationalization, just to name a few. But the downside is that on platforms where it is possible to install the missing PHP extensions or upgrade PHP itself, we're shipping empty code. MediaWiki requires both the ctypes and mbstring PHP extensions, and our servers have those, so there's no use in deploying polyfills for those, because they'll never be used. In September, Reedy and I replaced the polyfills with "unpolyfills" that simply provide the correct package, so the polyfill is skipped by composer. That removed about 3,700 lines of code from what we're committing, reviewing, and deploying - a big win.
  • Polonius and region errors
    Now that NLL has been shipped, I’ve been doing some work revisiting the Polonius project. Polonius is the project that implements the “alias-based formulation” described in my older blogpost. Polonius has come a long way since that post; it’s now quite fast and also experimentally integrated into rustc, where it passes the full test suite.
  • Serious Python released!
    Well, Serious Python is the the new name of The Hacker's Guide to Python — the first book I published. Serious Python is the 4th update of that book — but with a brand a new name and a new editor!

today's howtos

Ditching Out-of-Date Documentation Infrastructure

Long ago, the Linux kernel started using 00-Index files to list the contents of each documentation directory. This was intended to explain what each of those files documented. Henrik Austad recently pointed out that those files have been out of date for a very long time and were probably not used by anyone anymore. This is nothing new. Henrik said in his post that this had been discussed already for years, "and they have since then grown further out of date, so perhaps it is time to just throw them out." He counted hundreds of instances where the 00-index file was out of date or not present when it should have been. He posted a patch to rip them all unceremoniously out of the kernel. Joe Perches was very pleased with this. He pointed out that .rst files (the kernel's native documentation format) had largely taken over the original purpose of those 00-index files. He said the oo-index files were even misleading by now. Read more

Mozilla: Rust 1.32.0, Privacy, UX and Firefox Nightly

  • Announcing Rust 1.32.0
    The Rust team is happy to announce a new version of Rust, 1.32.0. Rust is a programming language that is empowering everyone to build reliable and efficient software.
  • Rust 1.32 Released With New Debugger Macro, Jemalloc Disabled By Default
    For fans of Rustlang, it's time to fire up rustup: Rust 1.32 is out today as the latest feature update for this increasingly popular programming language. The Rust 1.32 release brings dbg!() as a new debug macro to print the value of a variable as well as its file/line-number and it works with more than just variables but also commands.
  • Julien Vehent: Maybe don't throw away your VPN just yet...
    At Mozilla, we've long adopted single sign on, first using SAML, nowadays using OpenID Connect (OIDC). Most of our applications, both public facing and internal, require SSO to protect access to privileged resources. We never trust the network and always require strong authentication. And yet, we continue to maintain VPNs to protect our most sensitive admin panels. "How uncool", I hear you object, "and here we thought you were all about DevOps and shit". And you would be correct, but I'm also pragmatic, and I can't count the number of times we've had authentication bugs that let our red team or security auditors bypass authentication. The truth is, even highly experienced programmers and operators make mistakes and will let a bug disable or fail to protect part of that one super sensitive page you never want to leave open to the internet. And I never blame them because SSO/OAuth/OIDC are massively complex protocols that require huge libraries that fail in weird and unexpected ways. I've never reached the point where I fully trust our SSO, because we find one of those auth bypass every other month. Here's the catch: they never lead to major security incidents because we put all our admin panels behind a good old VPN.
  • Reflections on a co-design workshop
    Co-design workshops help designers learn first-hand the language of the people who use their products, in addition to their pain points, workflows, and motivations. With co-design methods [1] participants are no longer passive recipients of products. Rather, they are involved in the envisioning and re-imagination of them. Participants show us what they need and want through sketching and design exercises. The purpose of a co-design workshop is not to have a pixel-perfect design to implement, rather it’s to learn more about the people who use or will use the product, and to involve them in generating ideas about what to design. We ran a co-design workshop at Mozilla to inform our product design, and we’d like to share our experience with you. [...] Our UX team was tasked with improving the Firefox browser extension experience. When people create browser extensions, they use a form to submit their creations. They submit their code and all the metadata about the extension (name, description, icon, etc.). The metadata provided in the submission form is used to populate the extension’s product page on addons.mozilla.org.
  • Firefox Nightly: These Weeks in Firefox: Issue 51