Apple's New Hardware With The T2 Security Chip Will Currently Block Linux From Booting
Written by Michael Larabel in Hardware on 5 November 2018 at 09:04 AM EST. 65 Comments
HARDWARE --
Apple's MacBook Pro laptops have become increasingly unfriendly with Linux in recent years while their Mac Mini computers have generally continued working out okay with most Linux distributions due to not having to worry about multiple GPUs, keyboards/touchpads, and other Apple hardware that often proves problematic with the Linux kernel. But now with the latest Mac Mini systems employing Apple's T2 security chip, they took are likely to crush any Linux dreams.

At least until further notice, these new Apple systems sporting the T2 chip will not be able to boot Linux operating systems. Apple's T2 security chip being embedded into their newest products provides a secure enclave, APFS storage encryption, UEFI Secure Boot validation, Touch ID handling, a hardware microphone disconnect on lid close, and other security tasks. The T2 restricts the boot process quite a bit and verifies each step of the process using crypto keys signed by Apple.


Apple Mac Minis used to work fine on Linux, but that appears to no longer be the case... Or for any other Apple hardware with the T2 security chip enabled.


By default, Microsoft Windows isn't even bootable on the new Apple systems until enabling support for Windows via the Boot Camp Assistant macOS software. The Boot Camp Assistant will install the Windows Production CA 2011 certificate that is used to authenticate Microsoft bootloaders. But this doesn't setup the Microsoft-approved UEFI certificate that allows verification of code by Microsoft partners, including what is used for signing Linux distributions wishing to have UEFI SecureBoot support for Windows PCs.

Apple's T2 documentation makes it clear and explicitly mentions Linux:
NOTE: There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.

In other words, until Apple decides to add this certificate or the T2 chip otherwise is cracked so it could be fully disabled or allowed to load arbitrary keys, good luck even being able to boot Linux distributions on the new Apple hardware.

Update: According to Apple Support it may be possible to disable the Secure Boot security in full when booting to the Startup Security Utility in the macOS Recovery mode. This may allow Linux to then load on the device albeit without any boot security but by default / out-of-the-box the T2 chip will indeed prevent Linux distributions from booting.

Update 2: It looks like even if disabling the Secure Boot functionality, the T2 chip is reportedly still blocking operating systems aside from macOS and Windows 10.
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Hardware News
Popular News This Week