Hector Martin

In addition, Apple has a mechanism they use to only allow recent versions of their software to be installed on devices, by requiring a "phone home" process when you install it. This requirement can be disabled *after* you have a working install.

This makes sense; what Apple is doing is giving us advanced users a way to opt out of all of this, while making sure regular users cannot be compromised. The opt outs are stored on the SSD. So if you wipe your disk, Apple will treat your Mac like a secured device again.

One neat thing though, is that in fact these security settings are *per OS install*. This means that it should be entirely possible to dual-boot a *fully secure macOS* and Linux. That means you should be able to run iOS apps in macOS (which is disallowed without security).

This is like having an Android that can dual-boot the stock OS without OEM unlock and passing all SafetyNet checks, and also whatever custom OS you want without Gapps and anything else. Which is really cool.

So the takeaway here is: Apple have built a very clever secureboot process previously unseen in any kind of desktop computer. They make us go through hoops to boot Linux, but those hoops are there to protect normal users.

Once your Mac is set up with an OS install with permissive security, there is no phoning home or anything like that; that is just for from-scratch setups or if you need to reinstall.

It is up to us (i.e. Asahi Linux) to provide recovery mechanisms that allow you to fix a broken Linux install without having to depend on additional Apple software or do a full machine restore (and we will, don't worry).

In other words: Apple Silicon is like a Google Pixel device, but better. You need the factory OS to get to the "enable OEM unlock" toggle, and after that you're good. As long as you only mess with the installed OS (system/data partitions), you can do whatever you want.