undefined | Better HN

0 pointsnneonneo7y ago0 comments

Please read Apple’s white paper on the security chip: https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overvi...

They provide a setting that lets you disable the boot security at will, allowing you to install Linux or any other alternative OS. Security features on macOS (as opposed to iOS) are generally optional, but enabled by default (as is the sensible choice).

They don’t provide you the ability to reprogram the T2 itself, which is a shame but not entirely without merit - compromising the T2 chip would be far more dangerous than compromising the OS in terms of persistence.

0 comments

HankB997y ago

I've read that the T2 chip also provides the mass storage interface and without documentation or drivers, Linux cannot be run from the internal drive. Devices with the T2 chip can be booted and run from USB connections with the security disabled but not an internal drive.

nneonneoOP7y ago

Yes, that's unfortunate - the lack of drivers means that Linux devs will once again have to reverse someone's proprietary software to develop their own drivers. It's not a fun state of affairs. Unfortunately, Apple is not likely to start fully supporting Linux on Mac hardware by providing drivers and documentation. But the point here is that they haven't done anything technically to prevent you from running Linux.

floatboth7y ago

From what I remember, it acts as a "normal" NVMe device and you can just add its PCI ID and see the disk in Linux…

but in 10 seconds after that it powers the system off because it detects something like an unauthorized OS. Sounds a bit like prevention.

cmurf7y ago

Unacceptable. The user must disable Secure Boot to run Linux, which means the system becomes vulnerable to bootkit attacks. And, the typical scenario will be a user who leaves it disabled, making both macOS and Linux and possibly Windows (if also installed) more vulnerable to bootkit attacks.

I'm quite sure Microsoft would be willing to provide Apple their UEFI public key, which is what pretty much all Linux shim bootloaders are signed with.

geofft7y ago

> Unacceptable. The user must disable Secure Boot to run Linux, which means the system becomes vulnerable to bootkit attacks.

I see this said a lot, and I find it baffling because so many Linux users demanded no secure boot at all - which is exactly the thing being called unacceptable now. (It's not just you; The Register, for instance, complained about how "malware or malicious users that gets onto your Mac can potentially alter the operating system to hide spyware right from startup" when secure boot is off, in an article otherwise complaining about how Apple must hate Linux users because secure boot is now on.) There is no increased risk of bootkit attacks to Linux users as a result of this change. There is simply a reduced risk to macOS users.

I do agree that a model (as MS implemented) where you can enroll your own keys would be better - but that would be a new feature. In the meantime, if every Macintosh from the 128K until today was acceptable, what changed?

voltagex_7y ago

I think that secure boot got maligned as non-removable options were conflated with the ones where you could enroll keys.

nneonneoOP7y ago

The white paper addresses this - the UEFI CA is not included in the secure enclave's trust store. This is intentional - the UEFI CA is used to sign bootloaders that don't perform chain-of-trust validation, meaning that if the secure enclave trusted the UEFI CA by default, then secure boot could be pretty trivially bypassed.

Sure, they could make things more secure by allowing you to add your own keys. You could go ahead and add the public key for your secure bootloader that does chain-of-trust validation, but the "typical scenario" would be a user adding a generic UEFI CA that leaves them open to a modified or malicious OS.

solarkraft7y ago

> But the "typical scenario" would be a user adding a generic UEFI CA that leaves them open to a modified or malicious OS

What's the downside (to allowing it)? Do they think they need to protect users from themselves?

saagarjha7y ago

> And, the typical scenario will be a user who leaves it disabled, making both macOS and Linux and possibly Windows (if also installed) more vulnerable to bootkit attacks.

No way. The typical user will leave it enabled because they will only use macOS.

X-Istence7y ago

Bootcamp will also install Microsoft's root for UEFI so that Windows 10 can run fully secure.

1 more reply

j / k navigate · click thread line to collapse

0 comments

HankB997y ago

nneonneoOP7y ago

floatboth7y ago

From what I remember, it acts as a "normal" NVMe device and you can just add its PCI ID and see the disk in Linux…

but in 10 seconds after that it powers the system off because it detects something like an unauthorized OS. Sounds a bit like prevention.

cmurf7y ago

I'm quite sure Microsoft would be willing to provide Apple their UEFI public key, which is what pretty much all Linux shim bootloaders are signed with.

geofft7y ago

> Unacceptable. The user must disable Secure Boot to run Linux, which means the system becomes vulnerable to bootkit attacks.

voltagex_7y ago

I think that secure boot got maligned as non-removable options were conflated with the ones where you could enroll keys.

nneonneoOP7y ago

solarkraft7y ago

> But the "typical scenario" would be a user adding a generic UEFI CA that leaves them open to a modified or malicious OS

What's the downside (to allowing it)? Do they think they need to protect users from themselves?

saagarjha7y ago

> And, the typical scenario will be a user who leaves it disabled, making both macOS and Linux and possibly Windows (if also installed) more vulnerable to bootkit attacks.

No way. The typical user will leave it enabled because they will only use macOS.

X-Istence7y ago

Bootcamp will also install Microsoft's root for UEFI so that Windows 10 can run fully secure.

1 more reply

j / k navigate · click thread line to collapse