Comment by vsgherzi
5 days ago
It seems like this is a bug, apple went through the trouble to allow something like asahi to be possible in the first place. I doubt they're purposely trying to break it.
5 days ago
It seems like this is a bug, apple went through the trouble to allow something like asahi to be possible in the first place. I doubt they're purposely trying to break it.
Apple designed a bootloader for Apple Silicon Macs that allows you to run an unsigned OS without degrading security when you boot into MacOS. This wasn't an accident.
Macs have always allowed you to run another OS.
iDevices have always had a locked bootloader.
People shouldn't confuse the two.
M series macs are weird tho, yes the bootloader allows it but absolutely no documentation on the hardware, drivers etc. Can't help but to think the goal of this wasn't to actually allow third-party OSes, but for development purposes(and ye they could hide the feature behind apple account with paid dev license) or anti-anti-trust measures à-la Google with Firefox: in front of a jury of normal people they can simply say "look there's these nerds making Asahi" the same way "look we're not a monopoly Firefox has .2% market share".
> M series macs are weird
More weird than the opaque Management Engines on Intel or AMD chips that can take full control of your system at any time that you have no control over?
> Can't help but to think the goal of this wasn't to actually allow third-party OSes
Apple has explicitly stated that allowing third party OSes is exactly the purpose of the new bootloader.
17 replies →
That's just a normal part of Mac development. Apple sees documentation as a net negative for them, something that can constrain them in the future. So they only document the major highways and leave everything else as an exercise to the reader.
If you're using an unstable API they expect you to figure everything out yourself. It doesn't mean that they don't want you to use it though.
I think they are wary about macOS becoming a designated DMA gatekeeper, it would certainly be very close to the user and income thresholds.
> Can't help but to think the goal of this wasn't to actually allow third-party OSes, but for development purposes
Could also be pretending to be open while making sure nothing dangerous actually gets made.
The design of the exposed mechanism is explicitly about booting unsigned versions of MacOS. There is zero support for booting anything else, but no enforcement that it must be MacOS.
However, apple's justification for exposing this mechanism to users appears to explicitly include "booting linux" even if the mechanism has zero explicit support for booting linux.
And if Apple were going to change their mind and try to block linux, they would intentionally modify the bootloader to remove that functionality, not break the boot picker.
Reminds me of when the Xbox 360 came out, Microsoft had to buy a bunch of Macs because Macs had PowerPC processors, so it was kind of a no-brainer to get the darn thing going quickly enough. Ultimately Windows was the standard way to build Xbox games but it is kind of funny to think, one day someone at Apple saw an order for easily several dozens of Macs from Microsoft, and wondered if hell froze over.
Back in the 2000s MS agreed to port Office and Internet Explorer to the Mac. This was a good move for both companies. Bill Gates appeared on screen during an Apple Conference to talk with Steve. Huge boos. Steve had to work the crowd back from the ledge.
Then Office and IE were ported. It was so weird running Word on a Mac. It was a good port too. They did a good job of embracing Mac UI ideas. I found the Mac Word better than Win Word.
I was kind of new to the Mac back then.
I imagine Apple donated a bunch of early OS 10 machines to MS for development. I wonder if the MS Mac Dev team was a pariah at MS.
1 reply →
If they allowed something similar on iphones, I'd switch to an iPhone the day an alternate os worked well enough for daily use.
why? In my mind the appeal of the iPhone is iOS. The hardware is nice, but so is the hardware of certain Android phones.
I think it would be nice if we could run unsigned apps on iOS (in the US), but booting your own OS on an iPhone is a whole different story
3 replies →
I have fond memories in the early 2000s of getting the first MacBook Pro's with Intel Core i7's and the first thing we did at my company was build and install gentoo.
People forgot already about Bootcamp
IDecices should absolutely be treated as laptops and desktops which allow another OS to run on the device. This why I have not bought an Apple device for years.
EU is the only governing body that would push owning the device you _buy_. Unfortunately their seem more geared moving to a surveillance state at the moment with chat control.
They're different for now, but it's frog-boiling. Apple has been steadily adding more and more hoops to the process for Macs, and eventually they are going to end up as locked down as iPhones.
You get clicks for "Apple bad", not for "there was this boot flag and once we figured that out problem solved".
The boot flag was undocumented, like most features of Apple devices that are required knowledge for being able to port another operating system to them.
Because of this lack of documentation, every release of a new version of Apple hardware or software may require the restarting of the reverse engineering work, like in this case, just to keep working the alternative operating system.
The boot flag might have been undocumented, but so was absolutely everything else that was reverse engineered to make Asahi possible.
Rather than blaming Apple for this, the correct approach would have been to post something like "if you dual boot Asahi, don't upgrade to macOS 27 until you've done this".
1 reply →
It's Apple's bootloader. They were the ones that chose to use iBoot and not implement UEFI-style booting like prior Macs.
...why would they, this is a strict improvement with less surface area
2 replies →
Such bugs have happened and been reported before. Asahi exercises "raw boot" facilities that just don't get all that much attention in any other context.
(removed)
If the happy path disappears, the not-so-happy path will be taken to allow for booting custom kernels, one that will likely rely on turning the some or a lot of the RE energy towards breaking the Secure Enclave, the bootloader, and so on. Apple practically laid the red carpet out to avoid people trying to crack the parts of the hardware/software chain-of-trust they would really rather not have cracked. A similar strategy helped keep the Xbox One un-pwned for over a decade (running homebrew was allowed in a specific mode). It is doubtful Apple's legal department isn't aware of the value of the current software strategy.
So isn't that just purely security by obscurity then? Would they not rather have someone publicly break it instead of selling a zero day?
1 reply →
No, if their lawyers want it gone, Apple will just update the bootloader to reject local signing keys.
The actual problem was that Apple has an undocumented APFS key for if a volume is bootable, which Asahi wasn't setting and Apple wasn't checking, but now they do, so they do.
>apple went through the trouble to allow something like asahi to be possible in the first place
if going through trouble means "doing less shit to lock their systems down", then yes.
Apple ultimately dgaf about linux.