Behavior of macOS After Toggling Secure Boot on T2 Chip: Does It Remember the ECID?

Question

I am reading up on the T2 chip as I look at plans to avoid multiple machines by consolidating various OS requirements onto a single computer.

It sounds like I can use Full Security for Secure Boot in the Startup Security Utility for macOS and Windows 10.

For Linux, I plan to disable it and enable Allow booting from external media.

When booting back into macOS after re-enabling Full Security, would there be any issue here, or would it boot just as if it had never been disabled?

I ask because of this paragraph:

When an operating system is being installed, the system communicates to an Apple Signing Server and requests a personalized signature that includes the ECID—unique ID specific to the chip—as part of the signing request. The signature s unique and usable only by the operating system with that T2 chip installed. Therefore, when Full Security is configured, > the T2 chip ensures the operating system is uniquely signed for each computer.

To rephrase the question again, does the T2 chip remember this unique ID (ECID) after turning Full Security back on? Or rather, does it discard it when choosing No Security?

Answer 1

Yes, the T2 always "remembers" its unique ID (ECID) even if you turn Full Security off and on again. It is never discarded.

However, this is really not the question you would like to be asking:

The ECID is burned into the T2 chip and cannot change. The actual signature file created when the operating system is installed is stored on your disk drive as an im4m file. A valid signature can only be signed by Apple, and it contains the ECID from your T2 chip, limiting its validity to your specific computer.

The real question you want to ask is if those signature files are retained when turning off Full Security - and the answer is yes, they definitely are.

Every time you have a new signature created (for example when installing a new OS), the system creates a new, uniquely named im4m file on your drive. The old ones are not deleted.

When you disable "Full Security" and set it to "No Security", then the T2 chip stops checking the validity of the signatures in those im4m files. It doesn't discard them, delete them or anything of the sort.