By: +David Herron; Date: November 6, 2018
Many of us like Apple's hardware but not the operating system, and prefer to run Linux or even Windows. Yeah, it's a little crazy to pay a premium price for the hardware just to run some other operating system, that's how good Apple's hardware is. It's been discovered the 2018 Mac Mini has hardware to prohibit booting unapproved operating systems.
For its newest systems Apple designed in the T2 security chip. According to Phoronix this chip:
Apple's T2 security chip being embedded into their newest products provides a secure enclave, APFS storage encryption, UEFI Secure Boot validation, Touch ID handling, a hardware microphone disconnect on lid close, and other security tasks. The T2 restricts the boot process quite a bit and verifies each step of the process using crypto keys signed by Apple.
Phoronix explains that by default Windows does not boot on Mac hardware. Linux is a different deal, however. For Windows one must run Boot Camp to enable booting Windows.
Where this affects booting Windows or Linux on T2 equipped Mac Mini's is:
The Boot Camp Assistant will install the Windows Production CA 2011 certificate that is used to authenticate Microsoft bootloaders. But this doesn't setup the Microsoft-approved UEFI certificate that allows verification of code by Microsoft partners, including what is used for signing Linux distributions wishing to have UEFI SecureBoot support for Windows PCs.
In Apple's T2 security chip documentation Phoronix found this:
NOTE: There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.
Apple could choose to add certificates necessary to allow Linux to boot.
These settings are available in the Startup Security Utility available on the Recovery partition. Therefore you first start the computer while holding down Command (⌘)-R to enter Recovery mode.
One of the choices is No Security which means:
The No Security setting doesn't enforce any of the above security requirements for your startup disk.
So.. problem solved? Not so fast. According to discussion on Stack Overflow this doesn't help with booting Linux.