High Sierra automatically checks EFI firmware each week

Upgrading to High Sierra brings a new and significant security feature: your Mac will automatically check its EFI firmware. In a series of tweets, Xeno Kovah, one of the three engineers responsible for the new tool, has outlined how this works.

The new utility eficheck, located in /usr/libexec/firmwarecheckers/eficheck, runs automatically once a week. It checks that Mac’s firmware against Apple’s database of what is known to be good. If it passes, you will see nothing of this, but if there are discrepancies, you will be invited to send a report to Apple, with the following dialog.


If you are running a real Mac, rather than a ‘Hackintosh’, Kovah asks that you agree to send the report. This will allow eficheck to send the binary data from the EFI firmware, preserving your privacy by excluding data which is stored in NVRAM. Apple will then be able to analyse the data to determine whether it has been altered by malware or anything else.

The great majority of users should, of course, never see that dialog. If you do, your decision will be remembered; if you agreed to send the data to Apple, then in a week’s time when eficheck runs again, it will automatically adhere to your original choice.

eficheck depends on a small local library of ‘known good’ data, which will be automatically and silently updated if you have security updates turned on in the App Store pane.

This has been developed by Xeno Kovah, Nikolaj Schlej, and Corey Kallenberg, and is believed to be the first attempt at large-scale privacy-preserving checking of firmware integrity of this type. Hopefully, it will bring a significant improvement in security to all Macs which are upgraded to High Sierra.

(The screenshot above is taken from Xeno Kovah’s tweets, as is the information. Thanks, Xeno, for your work and this knowledge.)