
Apple's Hardware with T2 Security Chip Will Currently Block Linux from Booting - protomyth
https://www.phoronix.com/scan.php?page=news_item&px=Apple-T2-Blocks-Linux-UEFI
======
amaccuish
This has been duped many times. And wrong. There is an option to entirely
disable secure boot.

See this for accurate info:
[https://www.omgubuntu.co.uk/2018/11/apple-t2-chip-cant-
boot-...](https://www.omgubuntu.co.uk/2018/11/apple-t2-chip-cant-boot-linux)

Dupes:

[https://news.ycombinator.com/item?id=18383250](https://news.ycombinator.com/item?id=18383250)

[https://news.ycombinator.com/item?id=18396925](https://news.ycombinator.com/item?id=18396925)

[https://news.ycombinator.com/item?id=18383512](https://news.ycombinator.com/item?id=18383512)

------
mirashii
I'm a little bit disappointed that Phoronix is helping to spread this awful
headline that has been bouncing around a few days.

Currently Linux does not support interfacing with Apple's new T2 chip to use
the internal SSD. Other than that small detail, linux boots fine, linux can be
installed and booted off of external media.

~~~
eigenspace
If I understand correctly, you don't even need to boot off an external hard
drive. According [1], you only just need to disable their new 'secure booot'
feature and you can install Linux on the internal hard disk.

[1] [https://www.omgubuntu.co.uk/2018/11/apple-t2-chip-cant-
boot-...](https://www.omgubuntu.co.uk/2018/11/apple-t2-chip-cant-boot-linux)

_______________________________________________________

Edit: If I had read the original post, I'd see the link [2] at the bottom
pointing to some people claiming this indeed does not work.

[2]
[https://unix.stackexchange.com/questions/463422/2018-macbook...](https://unix.stackexchange.com/questions/463422/2018-macbook-
pro-tb-1tb-ssd)

------
rocqua
Crypto is being used to keep owners from fully controlling their hardware. We
see this with secure boot being totally under control of the manufacturers.

There is no reason except unwillingness not to allow the owner some way to
control what keys are trusted for secure boot. Secure boot, in its essence, is
a good security mechanism. Yet if we let them, companies will use it against
us.

Something similar is happening with cert-pinned devices. For example amazon
echo uses cert pinning. This means there is no way for a user to see what
_their_ device is sending home. For many intents and purposes, this means they
aren't the owner of the device. Instead, they have a license.

Why would ought it not be possible for a user to install their own root
certificates on these devices?

------
cm2187
But what is the rationale for using apple hardware for linux? I can understand
for laptops but for a little desktop computer, why pay the Apple premium, over
say Intel’s NUC if it is not to use the Apple ecosystem?

~~~
tbrock
Besides lenovo there are no quality laptop PC vendors.

Every laptop besides Apple or Thinkpad is garbage.

~~~
rocqua
Dell buisness laptops aren't horrible.

Recent Thinkpad laptops have moved away from good linux compatibility. My 2016
ThinkPad still doesn't have a functional linux fingerprint scanner.

~~~
regecks
Are you sure? I'm using a X1 Carbon Gen 5 (which I believe is 2016? maybe
2017), and I read that Linux 4.18 (which comes with Ubuntu 18.10) now has
functional fingerprint support. I haven't tried it yet, not a fan of biometric
authentication.

Either way, the laptop works great with Linux.

Edit: Looks like the fprint support is not quite there yet:
[https://gitlab.freedesktop.org/libfprint/libfprint/issues/54](https://gitlab.freedesktop.org/libfprint/libfprint/issues/54)

------
ethbro
What was that about cryptographically secure boot chains being a good idea,
again?

~~~
rocqua
You need a secure OS to protect a TPM against brute force attacks. You need
secure boot to get that.

Why do we want a TPM? Because it gives guaranteed secret private keys. This
means the keys can never be stolen, not even from RAM.

