Secure Boot in the Era of the T2

[monocasa]

AFAIK, there's no way to inject new keys, so you have a exclusive choice between running Linux and having secure boot enabled.

So it doesn't stop you in a way a game console might, but you lose some features of the hardware by doing so.

[MrBingley]

Even with secure boot disabled you can't install Linux on the internal SSD. Installing Linux on a Mac has already been very flaky for the last few years, but now is impossible.

https://unix.stackexchange.com/questions/463422/how-can-you-...

[_dp9d]

Interesting that Windows 10 installed via Boot Camp is an allowable exception, but Linux is not.

I wonder if Apple have an official stance on that.. i.e. "we're working on it", or "never".

[saagarjha]

This is because Apple has included the keys for Windows, but has not added the Microsoft UEFI key for Linux.

[nneonneo]

The likely problem is a lack of driver support for using the T2 as an SSD controller. I don’t think, based on Apple’s white paper, that they did anything to explicitly block Linux from accessing the internal SSD - it just needs to go through the T2 for that.

Hopefully someone is working on the necessary driver support - these laptops are still very new so maybe nobody has gotten around to it yet.

[michaelmrose]

Apple is actively blocking unsigned software from accessing the internal storage as a security measure and providing no means to add allowed keys. Its possible there is a defect in this security that could be exploited but it would be explicitly a bug and would be liable to be patched in the next version of the software. You have completely misread the situation. This is apple taking over your machine while still expecting you to pay for it.

[yeloboy]

Not if you disable secure boot. Imo they're probably right about Linux not being able to talk to T2. We'll see about that, I guess.

[saagarjha]

Yes, the issue is that Linux doesn’t know how to talk to the SSD, not Apple stopping Linux from accessing the SSD.