[PATCH v7] efi: Do not import certificates from UEFI Secure Boot for T2 Macs

Aditya Garg gargaditya08 at live.com
Fri May 13 18:31:18 UTC 2022


> Are there directions for installing Linux on a Mac with Apple firmware
> code?  

Well, directions of installing Linux on an Intel based Mac, which includes the T2 Macs is the same as on a normal PC.

Though, in case of T2 Macs, we for now need to use customised ISOs, since some drivers and patches to support T2 Macs are yet to be upstreamed.

An example of installing Ubuntu can be read here on https://wiki.t2linux.org/distributions/ubuntu/installation/

Talking about the official ISOs, for many distros, since CONFIG_LOAD_UEFI_KEYS is not enabled in their kernel config, we can install Linux using them, but they still lack many drivers required, since they are yet to be upstreamed. So the installation doesn’t work efficiently and we have to manually install custom kernels having those patches.

In some distros like Ubuntu, they have CONFIG_LOAD_UEFI_KEYS enabled in their kernel config. In this case the crash as mentioned in the patch description occurs and EFI Runtime Services get disabled. Since installing GRUB requires access to NVRAM, the installation fails with official ISOs in this case. Thus, a custom ISO, with this patch incorporated in being used for now for users interested in Ubuntu on T2 Macs.

> Are you dual booting Linux and Mac, or just Linux?

I don’t think it actually matters, though in most of the cases, we dual boot macOS and Linux, but I do have seen cases who wipe out their macOS completely. But this doesn't affect the Secure Boot policy of these machines.

>  While in
> secure boot mode, without being able to read the keys to verify the
> kernel image signature, the signature verification should fail.

If I enable secure boot in the BIOS settings (macOS Recovery), Apple’s firmware won't allow even the boot loader like GRUB, rEFInd to boot. It shall only allow Windows and macOS to Boot. You could see https://support.apple.com/en-in/HT208198 for more details.

> 
> Has anyone else tested this patch?

I work as a maintainer for Ubuntu for T2 Linux community and I have this patch incorporated in the kernels used for Ubuntu ISOs customised for T2 Macs, and thus have many users who have used the ISO and have a successful installation. Thus, there are many users who have tested this patch and are actually using it right now.
We also need the have the NVRAM writes enabled so as to unlock the iGPU in Macs with both Intel and AMD GPU, and with this patch, we have been successfully able to unlock it,

I hope I could answer your questions

Regards
Aditya


More information about the Linux-security-module-archive mailing list