Whatever the reason for this situation, if you really care about running Linux, then buy hardware that can easily run Linux. This is a good way to vote with your wallet for Linux support.
Not just Linux, really. Anyone who’d like to run anything besides whatever Cupertino deems allowable for ‘their’ hardware would do well to avoid these products as they have a built-in expiry date: a time will come when Apple deems this hardware ‘to old’ to ‘support’ - as in ‘provide software signed with the correct key to allow it to be installed’ - without the normal escape route.
There’s another reason to avoid Apple hardware if you don’t intend to run an Apple OS on it: the hardware prices are so high in part because they subsidize software development. Why pay for something you don’t intend to use?
OpenBSD devs seem to use a lot of Thinkpads. If FreeBSD and NetBSD work well, too, then extra BSD support might be a reason to vote with the wallet on them, too.
Its true that no one is buying a macbook to install linux on it but how will people ever try linux when most people have laptops that block them from installing alternative OSs. Most of my first experiences with linux are with a macbook I already owned before using linux.
I’d say that is as far from ‘true’ as can be. I never bought a laptop which I did not install Linux on.
It is far more likely that it is ‘true’ that nobody buys a laptop to install MacOS or Windows on for the simple reason that these tend to come pre-installed. Yes, there is the very occasional ‘hackintosh’ but those are far more rare than Linux installs. Another thing which is certainly true is that many people buy laptops with MacOS or Windows on them, only to wipe these to install Linux.
I don’t think “blocked from seeing the internal storage” is quite the correct characterization. The T2 chip is acting as an SSD controller, I bet if somebody takes the time to write a T2 driver for Linux everything will work just fine. The difficulty there will likely be that there is no datasheet available for the chip so the driver will have to be reverse engineered from mac OS which is certainly not trivial.
This has shades of the “Lenovo is blocking Linux support” “incident” where Lenovo just forced the storage controller into a RAID mode Linux didn’t have a driver for.
At least from what the system report tool says the drive appears as an NVME SSD and just an iteration on the one from previous generations (AP0512J vs AP0512M in the 2018 Air). So it might just work with the Linux NVME drivers once there’s a working UEFI shim that’s trusted. At that point this tutorial seems plausible.
Trust is not an issue because secure boot can be completely disabled.
As the article mentions, people who tried live USBs found out that the internal storage is not recognized. So looks like T2 is indeed actually acting as an SSD controller. (And of course macOS would report the actual underlying SSD even if there is no direct connection to it. The T2 could be reporting that info to the OS.)
The difficulty there will likely be that there is no datasheet available for the chip
Unless they completely and utterly butchered the initialization, no amount of datasheets will save you. From the T2 documentation:
By default, Mac computers supporting secure boot only trust content signed by Apple. However, in order to improve the security of Boot Camp installations, support for secure booting Windows is also provided. The UEFI firmware
includes a copy of the Microsoft Windows Production CA 2011 certificate used to authenticate Microsoft bootloaders.
NOTE: There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.
To bypass the check of the cryptographic signature, you’d probably have to find some kind of exploitable vulnerability in the verification code (or even earlier in the boot process so that you get code execution in the bootloader before the actual check).
As the article says, you can disable the T2 Secure Boot so the code signature verification is not the problem at that point. The problem then is that the T2 acts as the SSD controller, and nobody has taught Linux yet how to talk to a T2 chip. The article incorrectly conflates the two issues.
Doesn’t look like it’s conflating them. You might have to scroll down further :) but there’s a screenshot of the Startup Security Utility and this text:
However, reports have come in that even with it disabled, users are still unable to boot a Linux OS as the hardware won’t recognize the internal storage device. Using the External Boot option (pictured above), you may be able to run Linux from a Live USB, but that certainly defeats the purpose of having an expensive machine with bleeding-edge hardware.
edit: mis-read that. Yeah until they add partner support you’re probably pretty stuck. Although somebody like RedHat or Canonical that have relationships with Microsoft might be able to have them cross-sign their shim to support booting on the new Air. Either that or we’re stuck waiting for Apple to support the UEFI CA.
“can’t install it because the OS is blocked from seeing the internal storage” reminds me of this bug from a few years back: https://github.com/voidlinux/void-packages/issues/6232. The MacBook in question was my partner’s. She had a less than stellar experience with Linux on the MacBook Air.
My understanding is that the T2 is not incompatible via being proprietary (something that could be worked around) but is incompatible via being locked down. Feels deliberate there’s an inability to fully disable secure boot, inability to add custom keys.
Unless there’s something preventing both better SSD performance and allowing full disability of secure boot?
Some people are interested in both MacOS and an alternative OS, and the only way you can authentically dual-boot MacOS is on an Apple computer.
Well, for the tiny fraction of users who want to run an alternative operating system, sure. For the other 99% (?) who just want to use Mac OS securely, the more locked down the boot process is, the better.
There’s a way to turn off System Integrity Protection (aka “rootless” mode), so there could also be a way to disable secure boot at some point. But even if that happened, I don’t know if there’s an incentive for Apple to document their proprietary hardware interfaces, and they’re on track to use a lot of proprietary hardware in the coming years.
OK? I mean, this is a drag for people who use Linux, and wanted Apple hardware, but I feel that the delta between Apple hardware and other OEM hardware is closer than it’s been in a very long time, and if you’re not buying to run OS X, why pay the delta?
I don’t know. I was a Mac user for 7 years, until about two months ago when I bought a Matebook X Pro. Is the hardware as good as Apple? No, but it’s damn close for a computer that cost $1k less than the equivalent Macbook Pro. In fact, it wasn’t even cost, but rather the “innovative” features on the new Macbook Pros (the super low-profile keyboard and the useless touchbar) that pushed make the jump.
Apple still has an edge, but it’s becoming smaller and smaller. I’d say that the biggest quality-of-life advantage Apple sill has is just how well integrated their OS and hardware is, even though Apple seems to be on a campaign to make OS X actively hostile to the very software engineers like me who used to choose the Mac because it was a “better POSIX experience”.
New apple hardware is good? Or is the go-to macbook still the 2010-2012 models? IIRC those were the last to use 2.5” SATA drives and normal resolution screens. The retina macbooks lost that stuff but at least retained an okay keyboard. So I would be curious to hear what’s good about the new macbooks, if that’s indeed what you’re saying.
Whatever the reason for this situation, if you really care about running Linux, then buy hardware that can easily run Linux. This is a good way to vote with your wallet for Linux support.
Not just Linux, really. Anyone who’d like to run anything besides whatever Cupertino deems allowable for ‘their’ hardware would do well to avoid these products as they have a built-in expiry date: a time will come when Apple deems this hardware ‘to old’ to ‘support’ - as in ‘provide software signed with the correct key to allow it to be installed’ - without the normal escape route.
There’s another reason to avoid Apple hardware if you don’t intend to run an Apple OS on it: the hardware prices are so high in part because they subsidize software development. Why pay for something you don’t intend to use?
This is my feeling as well. The machines are IMHO not worth the premium you pay (in price and in PITA) if you’re not going to be using OS X.
My previous employer issued everyone with a macbook, but let them install whatever OS they wanted.
My current one gave us a choice. I chose an X1 Carbon Thinkpad. Most blissful Debian experience ever.
OpenBSD devs seem to use a lot of Thinkpads. If FreeBSD and NetBSD work well, too, then extra BSD support might be a reason to vote with the wallet on them, too.
Its true that no one is buying a macbook to install linux on it but how will people ever try linux when most people have laptops that block them from installing alternative OSs. Most of my first experiences with linux are with a macbook I already owned before using linux.
Say what now? Surely that’s not what you meant to say? Many of use buy laptops with the intent of only (or mainly) running Linux on them.
Sorry I meant to say no one is buying a macbook to only use linux on it.
I’d say that is as far from ‘true’ as can be. I never bought a laptop which I did not install Linux on.
It is far more likely that it is ‘true’ that nobody buys a laptop to install MacOS or Windows on for the simple reason that these tend to come pre-installed. Yes, there is the very occasional ‘hackintosh’ but those are far more rare than Linux installs. Another thing which is certainly true is that many people buy laptops with MacOS or Windows on them, only to wipe these to install Linux.
Sorry I made a mistake. Meant to type no one is buying a macbook to only use linux.
Title is slightly wrong. You can boot it but you can’t install it because the OS is blocked from seeing the internal storage.
I don’t think “blocked from seeing the internal storage” is quite the correct characterization. The T2 chip is acting as an SSD controller, I bet if somebody takes the time to write a T2 driver for Linux everything will work just fine. The difficulty there will likely be that there is no datasheet available for the chip so the driver will have to be reverse engineered from mac OS which is certainly not trivial.
This has shades of the “Lenovo is blocking Linux support” “incident” where Lenovo just forced the storage controller into a RAID mode Linux didn’t have a driver for.
At least from what the system report tool says the drive appears as an NVME SSD and just an iteration on the one from previous generations (AP0512J vs AP0512M in the 2018 Air). So it might just work with the Linux NVME drivers once there’s a working UEFI shim that’s trusted. At that point this tutorial seems plausible.
Trust is not an issue because secure boot can be completely disabled.
As the article mentions, people who tried live USBs found out that the internal storage is not recognized. So looks like T2 is indeed actually acting as an SSD controller. (And of course macOS would report the actual underlying SSD even if there is no direct connection to it. The T2 could be reporting that info to the OS.)
Unless they completely and utterly butchered the initialization, no amount of datasheets will save you. From the T2 documentation:
To bypass the check of the cryptographic signature, you’d probably have to find some kind of exploitable vulnerability in the verification code (or even earlier in the boot process so that you get code execution in the bootloader before the actual check).
As the article says, you can disable the T2 Secure Boot so the code signature verification is not the problem at that point. The problem then is that the T2 acts as the SSD controller, and nobody has taught Linux yet how to talk to a T2 chip. The article incorrectly conflates the two issues.
Doesn’t look like it’s conflating them. You might have to scroll down further :) but there’s a screenshot of the Startup Security Utility and this text:
Secure boot can be disabled. Then the machine will boot anything you tell it to boot, bringing the security inline with machines predating the T2.
Source: I tried it out on my iMac pro which is a T2 machine.
edit: mis-read that. Yeah until they add partner support you’re probably pretty stuck. Although somebody like RedHat or Canonical that have relationships with Microsoft might be able to have them cross-sign their shim to support booting on the new Air. Either that or we’re stuck waiting for Apple to support the UEFI CA.
“can’t install it because the OS is blocked from seeing the internal storage” reminds me of this bug from a few years back: https://github.com/voidlinux/void-packages/issues/6232. The MacBook in question was my partner’s. She had a less than stellar experience with Linux on the MacBook Air.
I wonder if in fact they are the same problem
Apple continues its firm, unwavering dedication to user-hostility.
Well, the T2 allows for significantly better SSD performance, so it’s only hostile to users who aren’t interested in using Apple’s system.
ETA: was “their system”, which was unclear. Pronouns are hard!
My understanding is that the T2 is not incompatible via being proprietary (something that could be worked around) but is incompatible via being locked down. Feels deliberate there’s an inability to fully disable secure boot, inability to add custom keys.
Unless there’s something preventing both better SSD performance and allowing full disability of secure boot?
Some people are interested in both MacOS and an alternative OS, and the only way you can authentically dual-boot MacOS is on an Apple computer.
That’s a fair point.
Well, for the tiny fraction of users who want to run an alternative operating system, sure. For the other 99% (?) who just want to use Mac OS securely, the more locked down the boot process is, the better.
There’s a way to turn off System Integrity Protection (aka “rootless” mode), so there could also be a way to disable secure boot at some point. But even if that happened, I don’t know if there’s an incentive for Apple to document their proprietary hardware interfaces, and they’re on track to use a lot of proprietary hardware in the coming years.
i got into linux because it was easy to dual boot my macbook pro. looks like they’ve finally plugged that leak in their customer base.
More on the 2016 models: https://github.com/Dunedan/mbp-2016-linux
Recently someone modified the wifi driver blob to get 2.4GHz fixed, but there’s still no support for 5GHz.
OK? I mean, this is a drag for people who use Linux, and wanted Apple hardware, but I feel that the delta between Apple hardware and other OEM hardware is closer than it’s been in a very long time, and if you’re not buying to run OS X, why pay the delta?
Funny, I think the delta is the largest it has ever been. IMO there’s simply no contest anymore, while back in the day Thinkpads were actually better.
I don’t know. I was a Mac user for 7 years, until about two months ago when I bought a Matebook X Pro. Is the hardware as good as Apple? No, but it’s damn close for a computer that cost $1k less than the equivalent Macbook Pro. In fact, it wasn’t even cost, but rather the “innovative” features on the new Macbook Pros (the super low-profile keyboard and the useless touchbar) that pushed make the jump.
Apple still has an edge, but it’s becoming smaller and smaller. I’d say that the biggest quality-of-life advantage Apple sill has is just how well integrated their OS and hardware is, even though Apple seems to be on a campaign to make OS X actively hostile to the very software engineers like me who used to choose the Mac because it was a “better POSIX experience”.
New apple hardware is good? Or is the go-to macbook still the 2010-2012 models? IIRC those were the last to use 2.5” SATA drives and normal resolution screens. The retina macbooks lost that stuff but at least retained an okay keyboard. So I would be curious to hear what’s good about the new macbooks, if that’s indeed what you’re saying.
Buy https://www.thinkpenguin.com/ computers if you want to run Linux and have the cash to buy an Apple.
(not affiliated, I just support their mission!)