Hector Martin

Apple Silicon devices have a, by default, tightly controlled boot process similar to iOS. The bootloader is also quite dumb and cannot actually boot from external media. Internal storage (the SSD) is tightly coupled to parts of the boot process.

This means that in order to set up an Apple Silicon device to boot arbitrary code, you first need to set it up to boot macOS, or at least install a working recovery mode. In other words, if you wipe the entire disk, that's like wiping your UEFI firmware in a PC.

You won't brick the thing, because there is DFU mode, but you will have to download a recovery bundle from Apple and install it first; just like there's no Linux on a PC without the manufacturer UEFI firmware (unless it's one of the rare coreboot supported ones).

In addition, Apple has a mechanism they use to only allow recent versions of their software to be installed on devices, by requiring a "phone home" process when you install it. This requirement can be disabled *after* you have a working install.

This makes sense; what Apple is doing is giving us advanced users a way to opt out of all of this, while making sure regular users cannot be compromised. The opt outs are stored on the SSD. So if you wipe your disk, Apple will treat your Mac like a secured device again.

One neat thing though, is that in fact these security settings are *per OS install*. This means that it should be entirely possible to dual-boot a *fully secure macOS* and Linux. That means you should be able to run iOS apps in macOS (which is disallowed without security).