The T2 coprocessor, which Apple equips to the iMac Pro, as well as all new Mac Mini, MacBook Pro and MacBook Air models, on the hardware level It blocks the installation of Linux and other operating systems, in addition to macOS and Windows 10.
Therefore, according to the manufacturer, it is possible to ensure effective protection of user data from computer memory, without putting them at risk of leaks or unauthorized reading by third parties.
Apple has used a specialized T2 chip, which is tightly integrated with various controllers, including the system management controller and SSD controllers.
Table of Contents
About the T2 chip
Only software certified by an Apple digital signature can be loaded and used on the T2 hardware chip. which led to the inability to install Linux on these types of devices.
The chip provides an enclave environment completely separate from the main system, in which operations related to security and encryption are carried out.
For example, on the T2 side, data encryption is done in storage, the verification of the boot process, the recognition of fingerprints and faces.
When you try to load an operating system that is not digitally signed by Apple, the system only allows you to switch to recovery and diagnostic modes.
At the same time, henewer iMac and MacBook models with the T2 chip offer the ability to boot Windows using the BootCamp utility provided by Apple, which allows you to combine macOS and Windows in one device.
When loading Windows, verification using the Microsoft Windows Production CA 2011 certificate is supported.
The Microsoft Corporation UEFI CA 2011 certificate, which is used to generate digital signatures for Linux distribution downloaders, is not supported by Apple.
At the moment only Windows 10 is supported
Unlike typical systems with UEFI Secure Boot, all verification certificates on Apple devices are not subject to change by the user, which makes it impossible to install a certificate to verify the boot of Linux and other operating systems other than macOS and Windows.
As an option, the possibility of using the Apple startup security utility is offered, available when downloading to MacOS Recovery, which offers an option to download without enabling security mode (»No Security« mode).
But it is not yet possible to implement Linux operation in this mode, since the T2 chip blocks the access of the operating system to some subsystems necessary for the correct operation of the device.
Ways to bypass restrictions
According to the information provided by Apple Support, A new startup security utility has been released for new computers with an integrated T2 chip.
This allows you to manage a number of system security settings, including disabling the secure boot feature.
Access to the program is possible by starting in macOS recovery mode.
However, as some web users point out, disabling secure startup does not give the desired result: the installation of GNU / Linux on new Apple PCs still fails.
As Geek User comments
"Currently, it is impossible to install anything other than Windows 10 on Apple computers equipped with a T2 chip",
This security chip does not allow installers to see the device's hard drive. Apple generously made an exception for Windows 10 (when installed using Boot Camp).
One possible way to solve the problem is to install Linux on external USB / Thunderbolt media.
I tried this version with Windows and it worked. However, the internal support remained invisible to the system.
Undoubtedly Apple has made some decisions that may affect the future, because we cannot forget either that the inclusion of the T2 also restricts users to take their equipment for repairs, diagnostics or simple hardware changes to repair centers other than the ones. authorized by them.