By default, Apple's custom Mac silicon, the T2 Security Chip, prevents it from booting into unrecognized OS environments. But, Apple's not stopping power-users from changing that in settings.
Apple's T2 Security Chip provides a lot of great features for the vast majority of people, including secure boot, real-time AES 256-bit data encryption, and even Touch ID authentication for MacBook Air and MacBook Pro. For them, it's on by default and should just be left on by default.
Because of that security, it's led some power-users to believe that Apple is locking down T2 machines, including those MacBooks as well as the iMac Pro and new Mac mini, so completely you will no longer be able to do things like boot into Linux.
My understanding is that you can, in fact, boot into Linux if you really want to. You just need to disable secure boot on your Mac first.
Here's what the default, "Full Security" does:
Full Security is the default Secure Boot setting, offering the highest level of security. This is a level of security previously available only on iOS devices. During startup, your Mac verifies the integrity of the operating system (OS) on your startup disk to make sure that it's legitimate. If the OS is unknown or can't be verified as legitimate, your Mac connects to Apple to download the updated integrity information it needs to verify the OS. This information is unique to your Mac, and it ensures that your Mac starts up from an OS that is trusted by Apple.
To change it:
- Turn on your Mac, then press and hold Command (⌘)-R immediately after you see the Apple logo to start up from macOS Recovery.
- When you see the macOS Utilities window, choose Utilities > Startup Security Utility from the menu bar.
- When you're asked to authenticate, click Enter macOS Password, then choose an administrator account and enter its password.
From there, if you want to boot into Linux, you want to choose the "No Security" option.
Here's how Apple describes it:
The No Security setting doesn't enforce any of the above security requirements for your startup disk.
Because the T2 Security Chip is no longer verifying the system integrity, you will lose Touch ID authentication for Apple Pay. That's because it can no longer guarantee the security of the connection between Touch ID and the purchase either. If you have an iPhone or iPad, though, you can still use those to authenticate Apple Pay on your Mac, just like you would on a Mac with no built-in Touch ID.
I haven't had time to test booting into Linux on the new Mac mini yet, so it's possible there are other levers that need pulling to make it all work, but there's nothing Apple's doing to actively prevent people who really want to boot into Linux to do it. And I'm looking forward to trying it out myself in the very near future.