Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Businesses Apple Linux Hardware

Apple Blocks Linux From Booting On New Hardware With T2 Security Chip (phoronix.com) 373

AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.

The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

This discussion has been archived. No new comments can be posted.

Apple Blocks Linux From Booting On New Hardware With T2 Security Chip

Comments Filter:
  • by Kohath ( 38547 ) on Saturday November 10, 2018 @02:40PM (#57622586)

    Seems like the most expensive way to get a Linux system. There have to be at least a dozen better choices for less money.

    • by tepples ( 727027 )

      A Mac running X11/Linux is the only (legal) way to develop and test macOS and X11/Linux versions of one application on one machine.

      • by ShanghaiBill ( 739463 ) on Saturday November 10, 2018 @02:53PM (#57622628)

        A Mac running X11/Linux is the only (legal) way to develop and test macOS and X11/Linux versions of one application on one machine.

        Why can't you just run Linux in a VM?

        • Why can't you just run Linux in a VM?

          Exactly.

          You'd think that people with the skills to install Linux would realize that there's more than one way to install Linux on a computer. There's several quite capable VMs that I'm aware of with excellent support for running Linux on macOS. There's Parallels, VMWare, VirtualBox, just off the top of my head. I suspect that in no time we'll see ESXi get signed for Apple hardware for the people that take things up a notch on virtual machines, like myself.

          If the goal is to test software on multiple platf

          • dual booting is NOT for chumps.

            case in point: I was dealing with a guy in my company (at a remote office) who was doing network testing of our embedded hardware and he was running a windows box with linux on top of it in a VM.

            FOR NETWORK PERFORMANCE TESTING.

            fuck! he was serious and had no idea that this was not the proper way to test for networking thruput, latency, jitter, etc. the vm layer will invalidate ALL tests you do. its not a pass thru layer at all, not when I'm trying to quanify jitter and late

            • Re: (Score:3, Insightful)

              by blindseer ( 891256 )

              I'm still pretty sure dual booting is for chumps. Let's take your example.

              If the guy needs Linux on the metal for running network tests then run Linux on the metal. He can run Windows in a VM if he needs that for things like e-mail and office apps. If he's doing work where he needs both Windows and Linux on the metal then he needs two computers. It's not like a computer is an expensive piece of hardware any more. If the company can't be bothered to get him the hardware but hobble him with reboots on a

              • by tepples ( 727027 )

                One easy way that most every virtualization package I've seen supports is a USB pass through. The freeware VM packages might throttle this to 100 Mbps speeds

                Last I checked, VirtualBox's USB passthrough without the extension pack was limited to USB 1.1. That means 12 Mbps speeds, not 100 Mbps. The extension pack supports newer USB versions, but a commercial use license for the extension pack starts at $5,000. Which virtualization package were you thinking of?

                • Which virtualization package were you thinking of?

                  All of them.

                  Unless you are running some really odd hardware then there's a way to pass through the network to the VM at full speed on every VM package I've seen. I'm guessing I've seen a lot of them but not all. If the speed of the network is critical, and you need it for an OS in a VM on a Mac, and this is for mission critical work at a for profit business, then I'm guessing one just needs to suck it up and open up the wallet a bit for the right software. I double checked VMWare's website because that's

          • by Dorianny ( 1847922 ) on Saturday November 10, 2018 @07:30PM (#57623596) Journal
            Yes we are all aware of VM's and use them whenever appropriate. The problem with VM's is that they don't have direct access to the underlying hardware which means that you can't use them for applications requiring low level access to the Network Card or the GPU.

            Network troubleshooting and scientific apps are some of the main reasons people dual-boot Linux

          • by tepples ( 727027 )

            If the goal is to test software on multiple platforms then I'm a bit doubtful one needs to run on the metal anyway. The only things that I can think of that need that kind of access to hardware would be drivers

            That and GPU-intensive games.

            • That and GPU-intensive games.

              You're doing it wrong.

              I'm not big on the GPU intensive gaming so I have little first hand experience on this but I picked up a few things on this reading Slashdot. Apple hardware has been regularly mocked for their gaming performance, they just aren't built for it. On the low end systems there's often a pretty pathetic GPU. On the high dollar systems there might be a nice GPU but they are optimized for workstation type stuff, which is apparently different than what gamers want. Then there's issues of th

          • Why can't you just run Linux in a VM?

            Exactly.

            You'd think that people with the skills to install Linux would realize that there's more than one way to install Linux on a computer. There's several quite capable VMs that I'm aware of with excellent support for running Linux on macOS. There's Parallels, VMWare, VirtualBox, just off the top of my head. I suspect that in no time we'll see ESXi get signed for Apple hardware for the people that take things up a notch on virtual machines, like myself.

            If the goal is to test software on multiple platforms then I'm a bit doubtful one needs to run on the metal anyway. The only things that I can think of that need that kind of access to hardware would be drivers, and someone is not likely to write Linux drivers for Apple hardware this quickly except for things like getting it booting, which is exactly what people are working on right now.

            Dual booting is for chumps. If you can't dig up real hardware or figure out how to run a VM then you are simply getting ahead of yourself. Make it work on the hardware and OS you got, then worry about making some money or dig through some university dumpsters for some hardware.

            This is a made up problem since the hardware just came out. If this persists for a while then I might see an issue. My guess is someone figures this out next month but Slashdot won't post it because it's news where people can't go on bashing Apple.

            It makes more sense to run Linux on the hardware, and to use VM's for other O/S's. One has far more control over one's box with Linux -- as far as I am aware, neither Microsoft nor Apple allow people to both view their source code and to complete modified versions, with rare exceptions.

            So using a VM to run Linux is not an appropriate solution.

            • So using a VM to run Linux is not an appropriate solution.

              Then don't buy Apple hardware. At least not until this Linux boot issue is resolved.

              I've heard two reasons people run Linux on Apple hardware. First, Apple makes nice hardware and (until now at least) Linux support was quite good. So, buy used, wait and see if this issue is resolved, or both. Second, while a person might prefer Linux they have a need to run macOS for their work. In this case a dual boot is used, or running a VM with either macOS or Linux as host and the other as guest. Running Linux o

          • by ctilsie242 ( 4841247 ) on Sunday November 11, 2018 @12:17AM (#57624360)

            This has a double-edged sword though. The bad is when Apple stops supporting this machine, you can't just slap Ubuntu on it and continue using it, but you get to choose between keeping using an obsolete OS with security issues, going with Windows, or chucking the machine entirely.

            I personally have tested this. At first, I set the security level to "none", booted Ubuntu, because I do a blkdiscard on the SSD to ensure that there is absolutely nothing on the drive before I install macOS. Lo and behold no drives, not via NVMe, not SATA.

            I hope this is just an oversight. I would be surprised and extremely diappointed if Apple actually did not want Linux to run on their product by actively barring the UEFI shim needed to load RedHat, Ubuntu, and others.

            As of now, using virtualization software is a solution, although Parallels is "meh" at best, VirtualBox has gotchas, so your best bet is VMWare Fusion Pro, which isn't cheap, but well worth it.

        • Re: (Score:3, Interesting)

          by HiThere ( 15173 )

          Sorry, but no.
          That's not sufficient for me to consider Apple an acceptable vendor.

          If I buy (when I bought) an Apple it was with the intention of running all my software native. Some software was native Linux, and for that I rebooted into the Linux partition. Some was Apple, and for that I rebooted into the Apple partition. Seriously, the Apple software wasn't sufficiently CPU intensive that running native was necessary, but that was the only way I know how to run it. The Linux software needed better acc

        • by tepples ( 727027 )

          Why can't you just run Linux in a VM?

          You ask the same question as King_TJ's comment [slashdot.org]. Please see answers there.

      • Re: (Score:2, Informative)

        A Mac running X11/Linux is the only (legal) way to develop and test macOS and X11/Linux versions of one application on one machine.

        TFA lies one all of its major "Grievances"

        Here's the Apple Knowledge Base article on the Boot Assistant Utility:

        https://support.apple.com/en-u... [apple.com]

        Note that there are TWO "parameters" that can be adjusted.

        1. "Boot Protection". Note that this can be turned COMPLETELY OFF. No "Linux Block" Here.

        2. Whether to allow Booting from External Media. This is to guard against "Evil Maid" attacks. Notice that it, TOO, has a setting to ALLOW booting from an external drive, USB stick, SD card, etc.

        So, don't want to mess ar

        • by HiThere ( 15173 )

          Those "facts" are not compelling. I don't remember the filesystem I used the last time I formatted a partition for Linux on an Apple, it may well have been ext2...but it was not any version of FAT, which I won't even use on USB sticks.

          To me Apple was already only marginally attractive. If I need to use an external disk, that's switched to more than marginally unattractive.

          OTOH, I note your handle is "FakeTimCook", so perhaps your response isn't authoritative, and there actually is a decent way to avoid th

      • I'm sure the market for that is huge.

      • A Mac running X11/Linux is the only (legal) way to develop and test macOS and X11/Linux versions of one application on one machine.

        No, it isn't -- and I suspect you already know this.

        You can run Linux in a VM on macOS. So "only (legal) way" is already provably a lie.

        There is however a more lightweight way to accomplish the same ends -- install Docker for Mac and XQuartz, and configure the Docker Container to export its DISPLAY to the host [medium.com]. Done.

        (Oh look -- that link is to a blog from a team that actually uses this in development!)

        Perfectly legal at that. Who knew? Obviously not you.

        Yaz

    • by Crash Dummy Redux ( 5616896 ) on Saturday November 10, 2018 @03:53PM (#57622830)
      When your Mac can no longer run the latest and greatest version of Mac OS, you can install Linux to keep using it after you get a new Mac. Now it can only be used as a paperweight.
      • by Kohath ( 38547 )

        Or you could keep running MacOs on it. Or buy a different laptop if running Linux on it 7 or 10 years from now is the most important thing to you.

    • Linux on a new Mac — why?

      Dual boot macOS and MS Windows and add a Linux virtual machine. You can develop for pretty much anything on one machine at that point, those three desktop OS plus iOS and Android.

    • by Greyfox ( 87712 ) on Saturday November 10, 2018 @04:22PM (#57622958) Homepage Journal
      I haven't checked in a while, but the old Mac Pro was a reasonably cost-effective way to get a multiprocessor Xeon system. I still have a couple of the aluminum towers from the mid 00's kicking around -- one has a 32 bit bootloader for 64 bit hardware, so if you want to run a 64 bit OS on it you have to install some code that thunks driver calls to 32 bits. That one is currently running Ubuntu Linux and is serving as a PBX system for an airport diner. The other one is currently awaiting a new Linux install and will end up being a development and test machine, which it's plenty powerful for.

      In the 10-15 years since I purchased those machines, Dell's replaced Apple for my out-of-the-box hardware needs -- I can get better hardware for the same price and they'll frequently offer Linux as an OS install option. Personally I'd usually rather just build my own hardware, but sometimes you just need some hardware immediately. I've gotten some pretty beefy server hardware from Dell and been mightily impressed by it, and am actually dropping some decades-old grudges against the company with the caveat, "They're great as long as you NEVER have to talk to their support people."

      So yeah, there are less expensive ways to get better hardware, so unless you have a boner for some of Apple's hardware, there's really not any reason to buy them. Funnily the last time they went all proprietary like this, they almost went bankrupt. Given how popular Linux is now, I'm not sure Microsoft will bail them out if it happens again.

    • A MacBook Pro is the first laptop I had no desire to install Linux. With Homebrew and MacOS it's pretty much Linux with MS Office.

    • by Kjella ( 173770 ) on Saturday November 10, 2018 @05:06PM (#57623116) Homepage

      Seems like the most expensive way to get a Linux system. There have to be at least a dozen better choices for less money.

      That's not really the point. If Apple is allowed to make x86 hardware that won't run Linux, I bet Microsoft will "align" their policy to allow it and do the same to their Surface line. Then the OEMs will follow. And then System76 and other niche players is your only choice. Considering they explicitly mention the Linux signing key this is not an accident, it's probably a trial balloon from Apple to see what happens if they ship Macs that don't run Linux ahead of a migration to ARM. Since Windows on ARM doesn't make much sense, they're setting up a play where the new Macs only runs Apple's OS and nothing else.

      Remember the PC as an open platform is something of an historical accident based on the naivety of IBM. Microsoft introduced the lock down capability with Secure Boot, but couldn't go through with it due to public outcry. They did try to lock it down with WinRT, except it flopped. Apple did lock down the mobile side with iOS and would like to do it on Macs. It's only dual-booting Mac and Linux users who'd like the status quo preserved. Don't assume that it'll transfer to any new "class" of desktop and don't assume it won't happen. The desktop is ripe for a major cataclysm like what iPhone/Android did to the mobile market.

      • Dual booting Mac is a very niche audience thing, apple doesn't care if they lose those people. VM are more convenient anyway.

        • apple doesn't care if they lose those people

          And yet along with the T2 chip that enforces signed code at boot time they included a utility in MacOS to disable it specifically to allow dual booting. They even go as far as to allow dual booting with Windows while maintaining secure boot on.

          That's a lot of effort for not caring.

      • Considering they explicitly mention the Linux signing key this is not an accident, it's probably a trial balloon from Apple to see what happens if they ship Macs that don't run Linux ahead of a migration to ARM.

        Or, it's just a support headache that they'd rather avoid. Don't jump to malice if laziness will do. Supporting Linux on their metal costs money for what I can imagine is little gain. By stating that people are on their own to run Linux then they can wash their hands clean of any problems brought to them such as people wiping their drive of valuable data in the process.

    • by AmiMoJo ( 196126 )

      What if you hate USB ports and prefer your hard drive soldered in?

      More seriously a lot of people want to run MacOS and Linux on the same machine.

    • by jbn-o ( 555068 ) <mail@digitalcitizen.info> on Saturday November 10, 2018 @08:07PM (#57623708) Homepage

      You're missing the point: Users deserve full control over their own computers. The user should decide what OSes they want to run. Treating users unethically by denying their software freedom is unjust. There are also ecological consequences others will no doubt get into which in the large affect us all. The amount of money spent on the computer is a very minor point at best.

    • I can see using an old Mac to put Linux on, just to give the old system some life again. But a new system? You are really burning money. Macs never had too many options so you will get a computer with hardware that you will not use or isn’t supported by Linux (or Windows)
      But you can get many decent pc equivalent for less, not because of the myth that macs are over priced, but because you can choose a system with the stuff you care about and not the stuff you don’t.

  • I mean, when you buy a Mac, you're paying a premium to get OS X. Part of the price includes that software license. Apple is willing to support Windows as an alternate bootable OS too. AND, nothing stops you from running a flavor of Linux via virtualization either, that I know of?

    So who, exactly, really has a problem with this limitation? I suppose you have a very small segment of "power users" who want a multi-boot environment that lets you start Linux, OS X or Windows from an initial menu. But realistica

    • Virtualization instead of dual booting means you need to buy twice as much RAM: half to run the host and half to run the guest. In addition, last I checked, a developer of an application that uses the GPU would be foolish to rely on performance in a VM as representative of performance on bare metal.

      • Bullshit. The RAM used by a running guest Linux system is insignificant compared to the RAM used by the OSX host. If you need to test an app on Mac and Linux, then you can't test both at the same time by dual booting, so the RAM consumption of your app testing isn't double either.

      • Virtualization instead of dual booting means you need to buy twice as much RAM

        No it doesn't. There is no reason that the host and client OS both need the same amount of RAM. If the host is doing little else besides hosting, it doesn't need much.

        My MacBook has 16 GB of RAM. 2GB of that is in active use, mostly by the browser. If I closed my browser and fired up a VM, the VM could use 80-90% of the RAM.

        a developer of an application that uses the GPU ...

        GPU virtualization sucks, but is an area that is improving rapidly. But if GPU performance is important to your app, you wouldn't want to run it on a Mac. None of them have high pe

        • by AmiMoJo ( 196126 )

          My MacBook has 16 GB of RAM. 2GB of that is in active use, mostly by the browser.

          It doesn't work like that. Applications and the kernel might be using 2GB of RAM, but a lot more is used for caching. Try running MacOS on 2GB of physical RAM.

          In any case, the other issue with virtualization is that it tends to wreck battery life because the host OS doesn't have enough information to do a good job of power saving. You can mitigate some of it with settings but it's never going to be as good as running that OS natively.

    • by StormReaver ( 59959 ) on Saturday November 10, 2018 @02:59PM (#57622654)

      But realistically, why bother except showing off you did it?

      1) There are people for whom the hardware is great, but the operating system sucks.

      2) Eventually, Apple will cripple the operating system to sell new hardware, and lots of people will discard perfectly good hardware. Being able to install Linux on it will keeps lots of toxic waste out of landfills for much longer.

      • by mspohr ( 589790 )

        I have an older MacBook Air. I fell in love with the hardware but never really liked OSX (in any of the versions since I bought it) and each version "upgrade" seemed to cripple the hardware more and more.
        Linux gives me an option to use my "made obsolete by Apple" hardware. Of course, there is now a lot of very nice hardware that will run Linux from non-Apple vendors so I don't see myself buying Apple again.

    • by HiThere ( 15173 )

      For you it's not a deal-breaker. For me it is...if the reports so far are anywhere near correct. Apple was already pretty close to the line, and has only a few features that I really care about.

      IOW, I've got to think that Apple is less abusive than MS, and that at least one if them isn't so abusive that I'm willing to put up with it to play commercial games. Stream is already giving me fewer reasons to put up with their shenanigans.

    • So who, exactly, really has a problem with this limitation?

      No one. Anyone capable of setting up a multi-boot system is also capable of following the simple instructions using the included utility in MacOS to simply disable code-signing, or to allow Microsoft's UEFI certificate (which is also used to cosign some Linux certificates).

  • T2 Chip (Score:3, Funny)

    by Anonymous Coward on Saturday November 10, 2018 @02:50PM (#57622616)

    If you try to load Linux, it terminates your booting. If you manage to break through the security, it states, "I'll be back" and relently pursues you until you are terminated.

  • System76 (Score:5, Informative)

    by reanjr ( 588767 ) on Saturday November 10, 2018 @02:53PM (#57622630) Homepage

    Don't fight uphill battles. System76 sells laptops with Linux pre-installed and so do many other vendors.

    • Re:System76 (Score:5, Informative)

      by Anonymous Coward on Saturday November 10, 2018 @03:27PM (#57622736)

      Don't fight uphill battles. System76 sells laptops with Linux pre-installed and so do many other vendors.

      And System76 neuters the Intel Management Engine, which is pretty awesome: https://blog.system76.com/post/168050597573/system76-me-firmware-updates-plan

    • MacBook users switching to System76 will have to start carrying two laptops: one on which to run Xcode or other macOS-exclusive applications and one on which to run X11/Linux applications. In your experience, how practical is it to carry two laptops?

  • by im_thatoneguy ( 819432 ) on Saturday November 10, 2018 @03:20PM (#57622716)

    Meanwhile Windows 10 not only allows Linux in the same machine it now let's me run pretty much all of my Linux dev tools in Windows, without emulation, side by side my Windows apps in one windowed shell.

    • by xlsior ( 524145 )
      Meanwhile Windows 10 not only allows Linux in the same machine it now let's me run pretty much all of my Linux dev tools in Windows, without emulation, side by side my Windows apps in one windowed shell.

      Only on x86. Microsoft did enable secureboot and prevented other OSes from running on their crappy short-lived 1st gen ARM-based Windows 10 RT surface tablets as well. (And we all know the only reason they kept the x86 version "open" was to prevent another monopoly abuse lawsuit.)
    • Re: (Score:2, Informative)

      Meanwhile Windows 10 not only allows Linux in the same machine it now let's me run pretty much all of my Linux dev tools in Windows, without emulation, side by side my Windows apps in one windowed shell.

      And, also Meanwhile...

      TFS LIES!

      https://liliputing.com/2018/11... [liliputing.com]

      https://www.omgubuntu.co.uk/20... [omgubuntu.co.uk]

      BTW, editors and Slashtards, I found these references in 0.5 secs. of Googling.

      Nice work, fucktards!

    • Meanwhile Windows 10 not only allows Linux in the same machine it now let's me run pretty much all of my Linux dev tools in Windows, without emulation, side by side my Windows apps in one windowed shell.

      In other words Windows finally provides a full *nix console environment natively, as Mac OS X (now macOS) has done since day one.

      Any your dev tools are probably not Linux specific and likely run just fine under BSD, including macOS.

  • high priced walled/semi walled garden.It is what it is so if your after flexibility and having things your way. You might need to take what comes or maybe go a different direction.

    Just my 2 cents ;)
  • Secure Boot (Score:2, Interesting)

    by Anonymous Coward

    When UEFI with Secure Boot was implemented several years ago, I warned that Secure Boot could be used to block Linux. But the Secure Boot people assured us that Linux could still boot by using a certified stub from Microsoft. That still was alarming to me because then Linux was relying on something from Microsoft, which historically had been very much against Linux. But even then, Secure Boot could still be disabled allowing Linux to be installed on the local storage device.

    I never thought it would be Ap

  • OS X is a modified version of BSD Unix [wikipedia.org]. Just pop up a terminal in OS X and you have a good old Unix shell [macpaw.com].
    • by tomxor ( 2379126 )

      Because Apple like to obsolete hardware quickly both officially and by making old hardware run slow on their latest OS version while EOLing older versions of their OS... I have a 10 year old MBP that is decent Linux machine, it doesn't matter that it's Linux specifically, it matters that you have the freedom to continue to boot other OS on your hardware... Apple have recently come to the conclusion that it is not your hardware, but it's theirs, even if you pay them.

      This is officially goodbye Apple, you trul

    • by HiThere ( 15173 )

      Sorry, but that's a good reason to avoid the restrictions that come with an official Apple version of BSD. Particularly as I prefer KDE. However it's not true. Apple does have certain advantages. The only question is are they worth the extra cost, and this makes it sound like the answer is no.

      OTOH, it may be incorrect. The answers that I got when following the links given by the apologists saying that it was incorrect, however, cause me to believe that it's true enough that Apple isn't worth the hassle

  • Apple wants to dictate how you can use their devices. Film at 11.
  • Apple has you by the balls AND has a finger up your ass
  • I didn't think it would come from Apple first, I thought it would come from Microsoft first, but here it is: You're being forced to run certain OS whether you like it or not. You were all warned of this, you chose to scoff at the warning and ignore it, and now you have to put up with the consequences. If this behavior is adopted by all motherboard manufacturers and OEMs then everyone is screwed.
  • No they don't! (Score:5, Informative)

    by thegarbz ( 1787294 ) on Saturday November 10, 2018 @08:45PM (#57623820)

    Not sure if this should be considered fake news or ignorance. What Apple have done is no different that any other device shipped with Secure Boot enabled by default, and it is just as configurable.

    Simply boot into MacOS via recovery mode and from there you can use the Startup Security Utility to configure the boot requirements by selecting
    a) only MacOS to boot,
    b) any signed certificate such as Microsoft's UEFI certificate which is also used by some Linux SecureBoot systems, or
    c) disable the check completely.

    https://support.apple.com/en-u... [apple.com]

  • Comment removed based on user account deletion
  • by argee ( 1327877 ) on Saturday November 10, 2018 @10:04PM (#57624066)

    December 26, 1966. I switched to Linux, never looked back. Here is my credo: It it doesn't run Linux, or if such and such is not available for Linux,
    I don't do *any* business with them. Period, end of story. Bill Gates and Tim Cook can kiss my Alaskan Arse.

One person's error is another person's data.

Working...