Return to Level1Techs.com

[Linux doesn't support T2 as a SSD controller] Apple's T2 Secure Boot chip is blocking usage of Linux in T2 chip Macs

https://www.phoronix.com/scan.php?page=news_item&px=Apple-T2-Blocks-Linux-UEFI


THE TRUTH:

The Apple T2 controller is also a SSD controller for the internal SSD. Linux doesn’t support the T2 controller as a storage controller to the soldered NAND on the mainboard. (Yes, it’s now both soldered RAM and NAND.)

Yes, you can turn off Secure Boot and allow booting from external storage, but Linux can’t see the internal SSD so there’s nowhere else to install to other than external storage… for now.

FUD.

3 Likes

@FurryJackman can you put [Debunked] or something in the title of this thread please? Thanks.

1 Like

Remember when they said this about Microsoft?

image

5 Likes

Phoronix just posted this update:

Update 2: It looks like even if disabling the Secure Boot functionality, the T2 chip is reportedly still blocking operating systems aside from macOS and Windows 10.

And provided this link:

Only a sample size of one… I don’t know Michael, confirmation bias much?

Now I don’t know who’s actually making Fake News. Phoronix or OMG Ubuntu…

It’s about time the linux kids got with the code-signing program and instead of poo-pooing it, actually sign your stuff.

You can bitch and complain about secure boot setups but it addresses a legitimate concern: ensuring that only legit code runs.

Personally, that concern is legitimate with laptops that fly between Mainland China and outside it. China already has a backdoor in Skype, so they can easily backdoor this if they wanted to. You have no privacy there BTW, all traffic is monitored. And they compromise your laptops instantly if you are a high value target.

Anyone checked to see if MacOS will boot on Apple T2 hardware with Secure Boot disabled?

(I’ve had one experience putting Linux on Apple: a 2015 MacBook Pro. Linux could not handle the machine’s hardware-enabled switching from the onboard Intel video to the discrete GPU. One or the other had to be disabled during the boot process before the kernel loaded by using Grub to emit a magic string of bytes. Once booted, fan control was nonexistent – all max all the time. After the first kernel update the machine did not boot and I put OS X back on because for a machine intended for casual use there was no reason not to.

(So, if someome wants to extend the useful lifetime of older hardware Apple no longer supports, I can see installing Linux if it turns out not to break every other update. Otherwise, not.)

Probably neither. It’s okay to be uninformed and make mistakes without knee jerk reaction screeching in this world. I’m sure once Phoronix performs tests themselves or has an influx of confirmation, they’ll make another update.

1 Like

Where does the T2 chip have a repair kill switch?

There source is that one post on stack exchange who isn’t the source, who’s source is a single page on a web site saying you can’t but they never tried but you still can’t.

Hmm…

Its referring to the encryption keys I believe. Stuff like the hard drive cannot be replaced without losing all your data, unless you go to a repair tech and use transfer tools.

Don’t own a Mac and don’t keep up, just odd bits I have read.

There were claims simply replacing the display required the change to be “blessed” through a cloud authentication service, blocking third-party repairs:

One Reddit post claims Linux can still be installed on a external drive with the T2 disabled. Seems the internal SSD is still locked so OSes cannot be installed alongside macOS:

Ahh-- the issue is that the new T2 chip actually manages the storage, in the same way that your chipset usually manages it on standard PCs. I betcha Linux just doesn’t support the T2 yet.

1 Like

By default, all Macs ship with FileVault and full disk encryption enabled.

At least with the 2015 Macbook Air, you can decrypt the filesystem and exit FileVault lock mode. And I’ve run Live USBs on that thing like crazy.

What does that have to do with anything? Linux doesn’t run on HFS+ or APFS.

FileVault/Encryption also encrypts the EFI partition when full disk encryption is set. What’s unclear is the behavior after you turn off all the protection with the T2 chip. With previous chips, the EFI partition is unlocked cause the disk is fully decrypted.

I don’t see why that would matter, since you can install linux on a mac without disabling filevault.

Okay, seems the issue is Linux literally can’t see the controller that handles the internal SSD. It’s no longer using a standard NVMe according to teardowns, so yes, the internal SSD actually has the T2 as it’s controller, directly communicating with the NAND that’s soldered onto the mainboard. (So no, you cannot upgrade your SSD anymore)

1 Like