No, Apple's not locking you out of Linux on Mac with the T2 chip

By default, Apple's custom Mac silicon, the T2 Security Chip, prevents it from booting into unrecognized OS environments. But, Apple's not stopping power-users from changing that in settings.

Apple's T2 Security Chip provides a lot of great features for the vast majority of people, including secure boot, real-time AES 256-bit data encryption, and even Touch ID authentication for MacBook Air and MacBook Pro. For them, it's on by default and should just be left on by default.

Because of that security, it's led some power-users to believe that Apple is locking down T2 machines, including those MacBooks as well as the iMac Pro and new Mac mini, so completely you will no longer be able to do things like boot into Linux.

My understanding is that you can, in fact, boot into Linux if you really want to. You just need to disable secure boot on your Mac first.

Here's what the default, "Full Security" does:

Full Security is the default Secure Boot setting, offering the highest level of security. This is a level of security previously available only on iOS devices. During startup, your Mac verifies the integrity of the operating system (OS) on your startup disk to make sure that it's legitimate. If the OS is unknown or can't be verified as legitimate, your Mac connects to Apple to download the updated integrity information it needs to verify the OS. This information is unique to your Mac, and it ensures that your Mac starts up from an OS that is trusted by Apple.

To change it:

  1. Turn on your Mac, then press and hold Command (⌘)-R immediately after you see the Apple logo to start up from macOS Recovery.
  2. When you see the macOS Utilities window, choose Utilities > Startup Security Utility from the menu bar.
  3. When you're asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.

From there, if you want to boot into Linux, you want to choose the "No Security" option.

Here's how Apple describes it:

The No Security setting doesn't enforce any of the above security requirements for your startup disk.

Because the T2 Security Chip is no longer verifying the system integrity, you will lose Touch ID authentication for Apple Pay. That's because it can no longer guarantee the security of the connection between Touch ID and the purchase either. If you have an iPhone or iPad, though, you can still use those to authenticate Apple Pay on your Mac, just like you would on a Mac with no built-in Touch ID.

I haven't had time to test booting into Linux on the new Mac mini yet, so it's possible there are other levers that need pulling to make it all work, but there's nothing Apple's doing to actively prevent people who really want to boot into Linux to do it. And I'm looking forward to trying it out myself in the very near future.

○ Video: YouTube
○ Podcast: Apple | Overcast | Pocket Casts | RSS
○ Column: iMore | RSS
○ Social: Twitter | Instagram

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.