Apple's new T2 chip improves security in a number of ways

Does Apple stop Linux from booting on its newly refreshed Mac Mini PC or MacBookAir laptops?

That’s the claim currently circling the web‘s collective drain. The posit is that the new T2 ‘secure enclave’ chip Apple has baked in to its new models prevents Linux from booting.

But is this actually true?

Kinda. The answer is both “yes, technically” and “no, not completely”.

The T2 Chip & Linux

Apple’s new Mac Mini and MacBook Air systems both feature the custom engineered T2 ‘secure enclave’.

The T2 chip, which ships on the new Mac Mini and MacBook Air computers, is designed to help to toughen device security, handle encryption, manage touch ID, and ensure the microphone can’t “always listen” when the lid is closed.

As configured out of the box, the T2 does prevent Linux from booting. In fact, it’ll stop anything that isn’t macOS, as Apple’s own documentation points out:

NOTE: There is currently no trust provided for the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.

But that’s not where the answer ends.

Firstly, Apple could choose to add support for the Microsoft UEFI CA 2011 certificate. This certificate is the same one that allows Linux users to dual boot distros like Ubuntu with Windows 10 and keep secure boot enabled.

Alas, it hasn’t.

Secondly, the whole “Secure boot” policy itself can be disabled.

You Can Boot Linux on the new MacBook Air