Linux on Apple silicon M1 and M2 mac`s
Posted: Thu Apr 17, 2025 7:03 pm
How Linux boot on Apple silicon mac`s?
Why M1 Macs Can’t Boot Directly from USB?
Apple M1 (and other Apple Silicon) Macs have restrictions on booting directly from USB devices due to their secure boot architecture.
Apple silicon Macs use a secure boot process managed by the Secure Enclave and Apple’s boot loader, which only allows booting from the internal storage (NVMe SSD) with signed boot objects. The boot process is locked down to prevent unsigned or external bootloaders from running natively. While macOS can boot recovery or installers from USB, Linux cannot directly boot from a USB drive without significant workarounds, as the M1’s boot chain doesn’t support it out of the box.
However, once the Linux kernel is loaded from the internal storage, it can absolutely access and use an external USB device (like a USB flash drive or external SSD) for the root filesystem or other purposes.
Bootloader (m1n1): Asahi Linux uses the m1n1 bootloader, which is installed on the internal storage and signed by Apple’s boot process (via a custom boot policy).
If apple silicon only boot signed boot loaders how m1n1 then boot ?
The fact that Apple Silicon Macs, including those with M1 chips, only boot signed bootloaders is a key part of their secure boot architecture, and understanding how m1n1 (the bootloader used by Asahi Linux) works within this constraint is crucial. Let’s dive into how m1n1 is able to boot on an M1 Mac despite Apple’s strict security requirements.
Apple Silicon Secure Boot Overview:
Apple Silicon Macs enforce a secure boot chain managed by the Secure Enclave Processor (SEP) and Apple’s boot ROM.
Here’s a quick rundown of how it works:
Signed Bootloaders:
Only bootloaders signed by Apple (or explicitly authorized by the system’s security policy) can be executed. This ensures that only trusted code (e.g., macOS’s bootloader) runs at the hardware level.
Boot Policy: Each Apple Silicon Mac has a configurable security mode that dictates what can boot:
Full Security: Only Apple-signed macOS bootloaders are allowed.
Reduced Security:
Allows custom bootloaders (like m1n1) but requires user authorization and Apple’s approval via a signing process.
Permissive Security:
Allows unsigned or locally signed bootloaders for development, but this is typically only available on developer kits, not consumer Macs.
Boot Process:
The boot ROM verifies the bootloader’s signature, then the bootloader verifies the kernel or next stage. This chain of trust ensures no unauthorized code runs.
By default, consumer M1 Macs ship in Full Security mode, which only permits Apple-signed macOS. To boot Linux (via m1n1), you need to modify this security policy and use a mechanism that integrates with Apple’s secure boot framework.
How m1n1 Boots on apple silicon Macs:
m1n1 is a custom bootloader developed by the Asahi Linux team specifically for Apple Silicon. It’s designed to load Linux kernels while complying with Apple’s secure boot requirements. Here’s how it works:
1. Switching to Reduced Security Mode
To boot m1n1, you must first change the Mac’s security policy from Full Security to Reduced Security. This is done through macOS:
Boot into Recovery Mode (power off, then hold the power button until “Loading startup options” appears).
Go to Utilities > Startup Security Utility.
Authenticate with an admin account.
Select Reduced Security and enable the option to allow user-managed kernel extensions or custom boot objects.
This tells the Secure Enclave to allow bootloaders that aren’t directly signed by Apple, provided they’re authorized by the user and registered with Apple’s infrastructure (more on this below).
User Authorization: Changing the security mode requires physical access to the Mac and an admin password, ensuring only the device owner can permit custom bootloaders.
2. Personalized Boot Object Signing
Apple’s secure boot doesn’t allow fully unsigned bootloaders on consumer Macs, even in Reduced Security mode. Instead, custom bootloaders like m1n1 must be personalized and signed for your specific Mac.
Here’s how Asahi Linux handles this:
During the Asahi Linux installation (via curl https://alx.sh | sh), the installer generates a machine-specific boot object that includes m1n1.
This boot object is sent to Apple’s servers, which sign it with a personalized certificate tied to your Mac’s unique hardware ID (via the Secure Enclave).
The signed boot object is returned to your Mac and stored in the internal storage’s boot partition.
Why This Works: The signed m1n1 boot object is treated as a valid, user-authorized bootloader by the Secure Enclave. It’s not a generic Apple signature (like macOS uses) but a custom signature that Apple’s servers generate for your device, ensuring security while allowing flexibility.
No Internet After Setup: The signing process requires an internet connection during installation, but once m1n1 is signed and installed, booting doesn’t need internet access.
3. m1n1’s Role in the Boot Chain
Installation: The Asahi Linux installer creates a new bootable partition on the internal NVMe SSD (e.g., “Asahi Linux”). It installs m1n1, a UEFI environment (like GRUB or U-Boot), and the Linux kernel.
Boot Process:
Boot ROM: The M1’s boot ROM verifies the iBoot stage (Apple’s first-stage bootloader) in the APFS container.
iBoot: In Reduced Security mode, iBoot checks the boot picker’s selection. If you choose the “Asahi Linux” volume, iBoot verifies the personalized signature of the m1n1 boot object.
m1n1: Once verified, m1n1 loads into memory. m1n1 is a minimal bootloader designed to initialize Apple Silicon hardware (e.g., memory, display, interrupts) and hand off to a Linux kernel or UEFI environment.
UEFI/GRUB: m1n1 typically loads a UEFI environment (e.g., GRUB), which then loads the Linux kernel and initramfs from the internal storage (or, in your case, points to a USB root filesystem).
Linux Kernel: The kernel takes over, initializes the system, and mounts the root filesystem (e.g., from USB, as per your setup).
Why m1n1 is Needed: Apple Silicon has non-standard hardware (e.g., custom memory controllers, interrupt handling). m1n1 acts as a bridge, setting up the hardware in a way that a standard Linux kernel can understand. It’s not a full bootloader like GRUB but a low-level shim tailored for Apple Silicon.
4. Integration with Apple’s Boot Picker
When you install Asahi Linux, it registers m1n1 as a bootable volume in the Mac’s boot picker (the GUI you see when holding the power button).
The boot picker presents “Asahi Linux” as an option alongside macOS. Selecting it tells iBoot to load the signed m1n1 boot object, maintaining the secure boot chain.
This ensures a user-friendly experience while complying with Apple’s security model.
Why m1n1 Complies with Secure Boot?
Signed by Apple: m1n1 itself isn’t signed with a generic Apple certificate (like macOS). Instead, it’s wrapped in a personalized boot object that Apple signs for your specific Mac during installation. This satisfies the Secure Enclave’s requirement for a trusted signature.
Reduced Security Mode: By enabling Reduced Security, you explicitly allow user-managed boot objects, but the signing process ensures Apple still has oversight (preventing fully unsigned code).
No Bypassing Secure Boot: Unlike traditional PCs, where you can disable secure boot entirely, Apple Silicon requires a signature at every stage. m1n1 works within this framework, not against it.
Comparison to Traditional Linux Bootloaders:
On a typical x86 PC, you might use GRUB or systemd-boot, which can be unsigned if secure boot is disabled. On M1 Macs:
You can’t disable secure boot entirely (except in rare developer modes).
m1n1 acts as a first-stage bootloader to handle Apple Silicon’s quirks, while GRUB or U-Boot handles higher-level tasks (e.g., kernel selection).
The personalized signing process replaces the need for a traditional secure boot keypair (e.g., Microsoft’s UEFI keys).
Why M1 Macs Can’t Boot Directly from USB?
Apple M1 (and other Apple Silicon) Macs have restrictions on booting directly from USB devices due to their secure boot architecture.
Apple silicon Macs use a secure boot process managed by the Secure Enclave and Apple’s boot loader, which only allows booting from the internal storage (NVMe SSD) with signed boot objects. The boot process is locked down to prevent unsigned or external bootloaders from running natively. While macOS can boot recovery or installers from USB, Linux cannot directly boot from a USB drive without significant workarounds, as the M1’s boot chain doesn’t support it out of the box.
However, once the Linux kernel is loaded from the internal storage, it can absolutely access and use an external USB device (like a USB flash drive or external SSD) for the root filesystem or other purposes.
Bootloader (m1n1): Asahi Linux uses the m1n1 bootloader, which is installed on the internal storage and signed by Apple’s boot process (via a custom boot policy).
If apple silicon only boot signed boot loaders how m1n1 then boot ?
The fact that Apple Silicon Macs, including those with M1 chips, only boot signed bootloaders is a key part of their secure boot architecture, and understanding how m1n1 (the bootloader used by Asahi Linux) works within this constraint is crucial. Let’s dive into how m1n1 is able to boot on an M1 Mac despite Apple’s strict security requirements.
Apple Silicon Secure Boot Overview:
Apple Silicon Macs enforce a secure boot chain managed by the Secure Enclave Processor (SEP) and Apple’s boot ROM.
Here’s a quick rundown of how it works:
Signed Bootloaders:
Only bootloaders signed by Apple (or explicitly authorized by the system’s security policy) can be executed. This ensures that only trusted code (e.g., macOS’s bootloader) runs at the hardware level.
Boot Policy: Each Apple Silicon Mac has a configurable security mode that dictates what can boot:
Full Security: Only Apple-signed macOS bootloaders are allowed.
Reduced Security:
Allows custom bootloaders (like m1n1) but requires user authorization and Apple’s approval via a signing process.
Permissive Security:
Allows unsigned or locally signed bootloaders for development, but this is typically only available on developer kits, not consumer Macs.
Boot Process:
The boot ROM verifies the bootloader’s signature, then the bootloader verifies the kernel or next stage. This chain of trust ensures no unauthorized code runs.
By default, consumer M1 Macs ship in Full Security mode, which only permits Apple-signed macOS. To boot Linux (via m1n1), you need to modify this security policy and use a mechanism that integrates with Apple’s secure boot framework.
How m1n1 Boots on apple silicon Macs:
m1n1 is a custom bootloader developed by the Asahi Linux team specifically for Apple Silicon. It’s designed to load Linux kernels while complying with Apple’s secure boot requirements. Here’s how it works:
1. Switching to Reduced Security Mode
To boot m1n1, you must first change the Mac’s security policy from Full Security to Reduced Security. This is done through macOS:
Boot into Recovery Mode (power off, then hold the power button until “Loading startup options” appears).
Go to Utilities > Startup Security Utility.
Authenticate with an admin account.
Select Reduced Security and enable the option to allow user-managed kernel extensions or custom boot objects.
This tells the Secure Enclave to allow bootloaders that aren’t directly signed by Apple, provided they’re authorized by the user and registered with Apple’s infrastructure (more on this below).
User Authorization: Changing the security mode requires physical access to the Mac and an admin password, ensuring only the device owner can permit custom bootloaders.
2. Personalized Boot Object Signing
Apple’s secure boot doesn’t allow fully unsigned bootloaders on consumer Macs, even in Reduced Security mode. Instead, custom bootloaders like m1n1 must be personalized and signed for your specific Mac.
Here’s how Asahi Linux handles this:
During the Asahi Linux installation (via curl https://alx.sh | sh), the installer generates a machine-specific boot object that includes m1n1.
This boot object is sent to Apple’s servers, which sign it with a personalized certificate tied to your Mac’s unique hardware ID (via the Secure Enclave).
The signed boot object is returned to your Mac and stored in the internal storage’s boot partition.
Why This Works: The signed m1n1 boot object is treated as a valid, user-authorized bootloader by the Secure Enclave. It’s not a generic Apple signature (like macOS uses) but a custom signature that Apple’s servers generate for your device, ensuring security while allowing flexibility.
No Internet After Setup: The signing process requires an internet connection during installation, but once m1n1 is signed and installed, booting doesn’t need internet access.
3. m1n1’s Role in the Boot Chain
Installation: The Asahi Linux installer creates a new bootable partition on the internal NVMe SSD (e.g., “Asahi Linux”). It installs m1n1, a UEFI environment (like GRUB or U-Boot), and the Linux kernel.
Boot Process:
Boot ROM: The M1’s boot ROM verifies the iBoot stage (Apple’s first-stage bootloader) in the APFS container.
iBoot: In Reduced Security mode, iBoot checks the boot picker’s selection. If you choose the “Asahi Linux” volume, iBoot verifies the personalized signature of the m1n1 boot object.
m1n1: Once verified, m1n1 loads into memory. m1n1 is a minimal bootloader designed to initialize Apple Silicon hardware (e.g., memory, display, interrupts) and hand off to a Linux kernel or UEFI environment.
UEFI/GRUB: m1n1 typically loads a UEFI environment (e.g., GRUB), which then loads the Linux kernel and initramfs from the internal storage (or, in your case, points to a USB root filesystem).
Linux Kernel: The kernel takes over, initializes the system, and mounts the root filesystem (e.g., from USB, as per your setup).
Why m1n1 is Needed: Apple Silicon has non-standard hardware (e.g., custom memory controllers, interrupt handling). m1n1 acts as a bridge, setting up the hardware in a way that a standard Linux kernel can understand. It’s not a full bootloader like GRUB but a low-level shim tailored for Apple Silicon.
4. Integration with Apple’s Boot Picker
When you install Asahi Linux, it registers m1n1 as a bootable volume in the Mac’s boot picker (the GUI you see when holding the power button).
The boot picker presents “Asahi Linux” as an option alongside macOS. Selecting it tells iBoot to load the signed m1n1 boot object, maintaining the secure boot chain.
This ensures a user-friendly experience while complying with Apple’s security model.
Why m1n1 Complies with Secure Boot?
Signed by Apple: m1n1 itself isn’t signed with a generic Apple certificate (like macOS). Instead, it’s wrapped in a personalized boot object that Apple signs for your specific Mac during installation. This satisfies the Secure Enclave’s requirement for a trusted signature.
Reduced Security Mode: By enabling Reduced Security, you explicitly allow user-managed boot objects, but the signing process ensures Apple still has oversight (preventing fully unsigned code).
No Bypassing Secure Boot: Unlike traditional PCs, where you can disable secure boot entirely, Apple Silicon requires a signature at every stage. m1n1 works within this framework, not against it.
Comparison to Traditional Linux Bootloaders:
On a typical x86 PC, you might use GRUB or systemd-boot, which can be unsigned if secure boot is disabled. On M1 Macs:
You can’t disable secure boot entirely (except in rare developer modes).
m1n1 acts as a first-stage bootloader to handle Apple Silicon’s quirks, while GRUB or U-Boot handles higher-level tasks (e.g., kernel selection).
The personalized signing process replaces the need for a traditional secure boot keypair (e.g., Microsoft’s UEFI keys).