No, Apple's not locking you out of Linux on Mac with the T2 chip

By default, Apple's custom Mac silicon, the T2 Security Chip, prevents it from booting into unrecognized OS environments. But, Apple's not stopping power-users from changing that in settings.

Apple's T2 Security Chip provides a lot of great features for the vast majority of people, including secure boot, real-time AES 256-bit data encryption, and even Touch ID authentication for MacBook Air and MacBook Pro. For them, it's on by default and should just be left on by default.

Because of that security, it's led some power-users to believe that Apple is locking down T2 machines, including those MacBooks as well as the iMac Pro and new Mac mini, so completely you will no longer be able to do things like boot into Linux.

My understanding is that you can, in fact, boot into Linux if you really want to. You just need to disable secure boot on your Mac first.

Here's what the default, "Full Security" does:

Full Security is the default Secure Boot setting, offering the highest level of security. This is a level of security previously available only on iOS devices. During startup, your Mac verifies the integrity of the operating system (OS) on your startup disk to make sure that it's legitimate. If the OS is unknown or can't be verified as legitimate, your Mac connects to Apple to download the updated integrity information it needs to verify the OS. This information is unique to your Mac, and it ensures that your Mac starts up from an OS that is trusted by Apple.

To change it:

  1. Turn on your Mac, then press and hold Command (⌘)-R immediately after you see the Apple logo to start up from macOS Recovery.
  2. When you see the macOS Utilities window, choose Utilities > Startup Security Utility from the menu bar.
  3. When you're asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.

From there, if you want to boot into Linux, you want to choose the "No Security" option.

Here's how Apple describes it:

The No Security setting doesn't enforce any of the above security requirements for your startup disk.

Because the T2 Security Chip is no longer verifying the system integrity, you will lose Touch ID authentication for Apple Pay. That's because it can no longer guarantee the security of the connection between Touch ID and the purchase either. If you have an iPhone or iPad, though, you can still use those to authenticate Apple Pay on your Mac, just like you would on a Mac with no built-in Touch ID.

I haven't had time to test booting into Linux on the new Mac mini yet, so it's possible there are other levers that need pulling to make it all work, but there's nothing Apple's doing to actively prevent people who really want to boot into Linux to do it. And I'm looking forward to trying it out myself in the very near future.

○ Video: YouTube
○ Podcast: Apple | Overcast | Pocket Casts | RSS
○ Column: iMore | RSS
○ Social: Twitter | Instagram

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • I don't see why anybody would buy a MacMini and run Linux personally. Now I do run an Ubuntu Server VM to host some LAN services at home. Bridge the NIC and it looks like its on the LAN. This would make a power house of a Plex Server at home thats for sure. It can be headless and it has lots of power. USB3 and USB-C ports to attach enough storage. I really hope Apple shows it more love over the years.
  • I can't imagine many people installing Linux on a new Mac, but the option should always be there
  • A lot of cross-platform devs run Linux (and FreeBSD as well) on Macs. It is, after all, the only platform you can develop (legally) on if you intend to have your multi-platform app run on MacOS as well. Even outside that use-case, there are still quite a number of Linux devs who work on Macs. Linus Torvalds used a MBA some years ago, if I'm not mistaken. Granted, most of these devs probably operate on VMs, but there will always be a subset of developers who'll want their applications running on "bare metal" for specific reasons. Me personally, I prefer VMs for my Linux and OpenBSD installs, mainly because I can work between operating systems concurrently. Actually, I almost exclusively do my browsing on a Debian VM with Firefox - just gives me more granular control of privacy settings and stuff. I just wish Apple would release a powerful VM suite of their own, or just buy either Parallels or VMWare's Fusion department and include it in MacOS.
  • I look forward to your results with switching off secure boot as from what I've read users who've tried this approach find it doesn't work. It seems that currently the "No Security" option has no effect when enabled. If this is indeed what happens then I'm sure it's a bug and not intentional. Expect a fix in the next week or two in that case.