Does Apple stop Linux from booting on its newly refreshed Mac Mini PC or MacBookAir laptops?
That’s the claim currently circling the web‘s collective drain. The posit is that the new T2 ‘secure enclave’ chip Apple has baked in to its new models prevents Linux from booting.
But is this actually true?
Kinda. The answer is both “yes, technically” and “no, not completely”.
The T2 Chip & Linux
Apple’s new Mac Mini and MacBook Air systems both feature the custom engineered T2 ‘secure enclave’.
The T2 chip, which ships on the new Mac Mini and MacBook Air computers, is designed to help to toughen device security, handle encryption, manage touch ID, and ensure the microphone can’t “always listen” when the lid is closed.
As configured out of the box, the T2 does prevent Linux from booting. In fact, it’ll stop anything that isn’t macOS, as Apple’s own documentation points out:
NOTE: There is currently no trust provided for the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.
But that’s not where the answer ends.
Firstly, Apple could choose to add support for the Microsoft UEFI CA 2011 certificate. This certificate is the same one that allows Linux users to dual boot distros like Ubuntu with Windows 10 and keep secure boot enabled.
Alas, it hasn’t.
Secondly, the whole “Secure boot” policy itself can be disabled.
You Can Boot Linux on the new MacBook Air
Apple has created a new “Startup Security Utility” for Mac computers that ship with the Apple T2 Security Chip.
This utility can be accessed by booting into macOS Recovery and grants access to a wide range of security policy settings.
Apple state: “[…On] computers with the T2 chip. The user is in control of the device’s settings, and may choose to disable or downgrade the secure boot functionality.”
Because “the user is in control” of their device’s settings, it includes the secure boot policy that prevents Linux distros from loading.
Anyone can boot Linux on the new Mac Mini and MacBook Air models — they just need to disable secure boot first.
Some people will find that tradeoff worth the hassle of booting into recovery. Others won’t. Either way the option means there’s no need to panic if you’re a Linux user with a Cupertino hardware fetish.
Plus, as always, there are plenty of Linux-friendly laptops and desktop PCs out there which aren’t made by Apple…