A little bit more detail, what i'm curious about is if a Mac's firmware can be set up to validate a EFI binary's attached signature against a cert that's stored in the EFI variables by user.
If so, how does Mac toggle between normal mode and set up mode? (as in allowing/forbidding the certs in EFI variables to be modified)
The scenario i have in mind is to have a recent Intel Mac right before the T2 chip got added, say the Haswell generation around 2014 and 2015, and i hope to have the Mac's firmware to validate the integrity of the grub efi binary before booting it.
Thanks!
Best Answer
Apple only officially supports macOS and Windows for use on Macs. Therefore, the firmware does not support Secure Boot. A Mac with a T2 chip can be configured to only allow booting of macOS and Windows 10. A Mac's firmware can not validate the integrity of a grub efi binary. Having T2 chip does not change this.
As for a setup mode, basically a Mac with a T2 has the following window.
The instructions for configuring can be found at the Apple website About Startup Security Utility.