[Linux doesn't support T2 as a SSD controller] Apple's T2 Secure Boot chip is blocking usage of Linux in T2 chip Macs

Anyone checked to see if MacOS will boot on Apple T2 hardware with Secure Boot disabled?

(I’ve had one experience putting Linux on Apple: a 2015 MacBook Pro. Linux could not handle the machine’s hardware-enabled switching from the onboard Intel video to the discrete GPU. One or the other had to be disabled during the boot process before the kernel loaded by using Grub to emit a magic string of bytes. Once booted, fan control was nonexistent – all max all the time. After the first kernel update the machine did not boot and I put OS X back on because for a machine intended for casual use there was no reason not to.

(So, if someome wants to extend the useful lifetime of older hardware Apple no longer supports, I can see installing Linux if it turns out not to break every other update. Otherwise, not.)

Probably neither. It’s okay to be uninformed and make mistakes without knee jerk reaction screeching in this world. I’m sure once Phoronix performs tests themselves or has an influx of confirmation, they’ll make another update.

1 Like

Where does the T2 chip have a repair kill switch?

There source is that one post on stack exchange who isn’t the source, who’s source is a single page on a web site saying you can’t but they never tried but you still can’t.


Its referring to the encryption keys I believe. Stuff like the hard drive cannot be replaced without losing all your data, unless you go to a repair tech and use transfer tools.

Don’t own a Mac and don’t keep up, just odd bits I have read.

There were claims simply replacing the display required the change to be “blessed” through a cloud authentication service, blocking third-party repairs:

One Reddit post claims Linux can still be installed on a external drive with the T2 disabled. Seems the internal SSD is still locked so OSes cannot be installed alongside macOS:

Ahh-- the issue is that the new T2 chip actually manages the storage, in the same way that your chipset usually manages it on standard PCs. I betcha Linux just doesn’t support the T2 yet.

1 Like

By default, all Macs ship with FileVault and full disk encryption enabled.

At least with the 2015 Macbook Air, you can decrypt the filesystem and exit FileVault lock mode. And I’ve run Live USBs on that thing like crazy.

What does that have to do with anything? Linux doesn’t run on HFS+ or APFS.

FileVault/Encryption also encrypts the EFI partition when full disk encryption is set. What’s unclear is the behavior after you turn off all the protection with the T2 chip. With previous chips, the EFI partition is unlocked cause the disk is fully decrypted.

I don’t see why that would matter, since you can install linux on a mac without disabling filevault.

Okay, seems the issue is Linux literally can’t see the controller that handles the internal SSD. It’s no longer using a standard NVMe according to teardowns, so yes, the internal SSD actually has the T2 as it’s controller, directly communicating with the NAND that’s soldered onto the mainboard. (So no, you cannot upgrade your SSD anymore)

1 Like

Yep, that was my guess earlier. Linux needs to support that T2 controller. Question is whether Apple plays ball or they need to reverse-engineer it, in which case it could be awhile.

Same deal with the iMac Pro. With T1 and T2, it’s not NVMe, it’s bare NAND and a proprietary controller. Though arguably it was a proprietary SSD in modified NVMe form factor in 2015, but at least Linux can see that Samsung controller, even though it was “proprietary.”

The 2017 MBP works and Linux can see the internal SSD, but T2 is invisible to Linux.

You mean industry standard AES?

Do you remember when the PowerMac G5 was released, they said it would take a supercomputer 149 trillion years to defeat AES? That was how the world was introduced to FileVault.

And found the archive [dot] org page:


What’s your point?

Mine was that it isn’t “proprietary encryption” - it is industry standard AES. Same stuff used in millions of IPSEC connections the world over, other on disk encryption setups, etc.

There was a compatibility issue with the encryption when High Sierra got introduced, but then I quickly realized that can happen with any form of encryption, as implementation can cause these problems, not the actual crypto itself.

So yeah, I wasn’t gonna explain myself and look dumb. I originally had the point that Apple’s encryption was the root of the problem, but it’s not the crypto, it’s the implementation.

Now that we know Linux can’t even see the T2 controller, that rules out filesystem/full disk encryption cause people have been able to install other OSes on T1 just fine.

The wrong information is still being spread.