Macs to Linux fans: Stop right there, Penguinista scum, that's not macOS

By Richard Speed 6 Nov 2018 at 20:23

The knickers of the Linux world have become ever so twisty over the last few days as Penguinistas fell foul of the security hardware in their pricey Apple hardware.

Reports are coming in of Linux fans struggling to get their distribution of choice to install on the latest Cupertino cash cows with fingers pointed at the T2 chip.

The T2 does all manner of things in the latest batch of Macs (including the new MacBook Air and Mac mini models announced last week) including dealing with the SSD, audio, and secure boot. And it is with the latter that problems appear to be occurring.

Out of the box, the Mac doesn't like to boot anything that isn't Apple approved. It will go into Recovery, Diagnostics or Internet Recovery mode, but anything else is a definite no-no. The machines will, by default, only trust content signed by Apple.

In documentation for the T2 chip (PDF) kind old Cupertino concedes that people might want to use other, non-Apple, operating systems and so you can use BootCamp to get Windows up and running thanks to a copy of the Microsoft Windows Production CA 2011 certificate in the UEFI firmware.

The problems come when you want to run something that isn't Windows. In the past, Linux fans were able to make use of the Microsoft Corporation UEFI CA 2011. But not any more. According to Apple: "There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011."

This is bad news since, in Apple's words, "This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants."

At this point Penguinistas would expect to be able to reach for the Apple Startup Security Utility, which provides the option to boot with No Security. However, according to Apple, this option "does not enforce any requirements on the bootable OS".

Obviously, this has its downsides, but if you're savvy enough to try to put Linux on a Mac, you should understand the implications.

The problem is that, according to a posting on StackExchange, changing the Secure Boot option "makes no difference".

Alas, here at Vulture Central we do not have any shiny new Macs on which to verify the problem and Apple, as one would expect, remains tight-lipped on the issue. However, we can report that Ubuntu runs an absolute treat on a Dell XPS.

Microsoft also has a Secure Boot implementation. However, for a PC to be certified for Windows 10, it "must allow the user to completely disable Secure Boot".

Linus Torvalds memorably declared his love for his MacBook Air back in 2014. That affection may have soured somewhat since Apple has continued to flex its muscles and exert ever more control over user's hardware. After all, Cupertino would be a lot happier if everything worked like an iPad.

Any Linux fan tempted to drop some big bucks on Apple's latest and greatest would be wise to consider holding off until things settle down, unless virtualization will do the job.

Otherwise the likes of Dell or Lenovo will happily sell you some kit more than capable of running the open-source OS. Or pretty much anything else you want.

It is your hardware after all. ®