hoakley October 1, 2017 Macs, Technology

There’s trouble in that firmware: EFI chaos

We have recently been given two glimpses into the strange and rarefied world of Mac EFI firmware. Taken together, things don’t look as good as they should be. In fact, firmware updates and versions appear to be chaotic.

The first was in a stream of tweets (since deleted) from one of the engineers working on High Sierra’s new feature which checks the EFI firmware in every Mac running High Sierra once a week. Given that Apple makes all Macs, their firmware, macOS and its updates, you might have expected Apple to know exactly what is in the firmware of every Mac, and to have ensured that those Macs are running the latest version for that model.

One reason for High Sierra checking firmware every week is to enable Apple to complete its database of all the different versions and variants of firmware running on Macs. This is because it doesn’t know what is in the firmware of every Mac, and has yet to figure out exactly which versions are still in use.

There is a problem here in the way that firmware updates are distributed. In the past, they had been supplied as separate updates as well as being bundled with operating system updates. They are now no longer supplied separately, only as part of macOS updates and upgrades.

The result is that this iMac17,1 could have any one of several different EFI versions, depending on which macOS updates and upgrades have been applied to it. If I had left it running its original system installation, El Capitan 10.11, it would still be running the original version of its firmware. It is only by installing successive macOS updates that it is currently running the latest firmware release for this model.

This is an issue which Rich Smith and Pepijn Bruienne at Duo Security have been looking at very carefully. They have matched the firmware versions of over seventy thousand Macs against their analyses of firmware updates supplied in macOS versions 10.10 to 10.12.6.

They discovered that many Macs which would be expected to be running more recent firmware are actually still running older versions. In some cases, they found Macs which, in spite of having had macOS updates and upgrades installed, have been left with their original firmware versions. This has left many Macs exposed to known EFI firmware vulnerabilities.

Although their work has been painstaking and thorough, it contains mystifying discrepancies which suggest that the real picture is even more complex. Looking again at this iMac17,1, according to their Table 10, giving the highest released versions of EFI firmware, it should be running version 0105 B20, which was supplied as part of the El Capitan updates.

firmware

Prior to upgrading to High Sierra, it was in fact running version 0105 B26, which is a more recent version installed by one of the later Sierra updates. Now that it has been upgraded, it is running version 0110 B00. I have tried in vain to discover Apple’s official line on which is the latest firmware version for this model: as you might have expected, Apple doesn’t seem to release that information, nor does it or its installers ever inform the user when a firmware update is due, or is successfully installed.

efihighsierra

I think that it’s excellent that Apple is now starting to look into these firmware issues. Just as Macs running all recent versions of macOS / OS X should get software security patches appropriate to those versions, shouldn’t they also get firmware updates to address known vulnerabilities?

However, this exposes a flaw in Apple’s current method of distributing and installing firmware updates. If I had not upgraded this iMac to Sierra 10.12.6, it would apparently still be running version 0105 B20; if I had not upgraded it to High Sierra, it would still be running version 0105 B26. Delivering EFI firmware updates is proving to be unreliable, and is leaving users vulnerable. What’s more, Smith and Bruienne’s study shows that some users who do install the latest macOS updates still don’t seem to get their firmware properly updated.

Duo first made Apple aware of these issues over three months ago. I don’t see any response from Apple, other than generic advice to upgrade to High Sierra – which continues to distribute and apply firmware updates by the same flawed mechanism, leaving some Macs exposed to vulnerabilities.

While we wait for Apple to decide what it’s going to do about updating EFI firmware, what can you do to ensure that your firmware is fully up to date?

First, check the firmware version shown in the Hardware Overview section of System Information against the version number listed in Table 10 of Duo’s report. If yours is higher than or equals that listed, it is more recent and therefore should have known vulnerabilities patched.

If your Mac has a lower version number than expected, bring it up to date with the latest version of macOS which you can safely run. If you don’t want to upgrade to Sierra or High Sierra, then download and install the last Combo updater for its major version from Apple support. So if you’re still running any version of Sierra, install the Combo updater to take it to 10.12.6. Then check the firmware version again.

If you can, consider upgrading to High Sierra, which should install new firmware on every Mac.

If none of these works, contact Apple support or your nearest Genius Bar.

16Comments

Add yours

1

Sebby on October 1, 2017 at 10:44 pm

That’s the second time I’ve updated my iMac 15,1’s firmware this week by unorthodox means, using both Sierra 10.12.6 and High Sierra 10.13.0. It still runs the actual system software Yosemite 10.10.5, and will soon move to High Sierra (a genuine improvement for me, a VoiceOver user, for which Apple has finally [FINALLY!!!!!] fixed bugs). My Mac Mini 7,1 already runs High Sierra, but I updated that as well while it was running El Capitan, from the Sierra installer. For both computers running outdated operating systems, the trick is to download the (full) App Store app for the latest OS, then rummage around inside the embedded InstallESD.dmg file for the firmware installer package. You can deploy in the usual way. For getting the full installer of High Sierra (which does, in fact, contain firmware), look for product 091-34298 in Apple SUCatalogs for OS versions >=10.11 while using an earlier version (or else you’ll get a stub installer). It can also happen if you’re not using Apple’s catalogs to check for updates (clear the URL, if an alternative is configured).

Why? Because I wanted Cmd+Opt+R to get me a Internet recovery image for the current OS, and not the one that comes with the Mac in question. Apple changed the behaviour at some point in Sierra’s cycle. They’d mentioned it in a support document for the update in question. At first, I thought it must be a trick of the recovery image or something, but no, it’s firmware, and I took a guess and tried some Googling for peoples’ experiences of the update. Reading discussions revealed this to be definitely the case. So I grabbed the combo update and sure enough I found the firmware inside. The horror–I’d been running outdated firmware, for absolutely no reason whatsoever. Somebody’s ears must have been burning, because High Sierra’s new firmware-checking mechanism came out soon after, as you note, and now this research.

Apple should go back to treating their customers with some degree of respect, and offer firmware irrespective of OS in use. It’s the only way to make this disaster go away. When the OS updater checks for updates, it should check for firmware, too. It can’t possibly be beyond them to make the installation process as smooth and seamless as it is now, for both a software update and a firmware update, in a single pass. Trying to wed firmware images to full or partial updates is just asking for trouble, when people use cloned images or Time Machine backups, or stay on older OSs, or when any given update is skipped or fails. Still, I guess it’s nice to have something of a confirmation that Apple’s support for older OSs was always somewhat illusory.

Keep up the blog.

PS: DRM is pure evil. Really. 😦

LikeLike
- 2
  
  hoakley on October 2, 2017 at 5:12 am
  
  Thank you for your long comment.
  I think that there are obvious dangers in running just the firmware updater from within a macOS installer, in that you could be running a newer version of macOS which expects newer firmware, but finds an older version. That could readily lead to incompatibilities. Given that they would be at a firmware level, they could be serious, leading for example to kernel panics.
  Howard.
  
  LikeLike
  - 3
    
    Sabahattin Gucukoglu on October 2, 2017 at 11:46 am
    
    Thanks for your reply.
    
    I agree, up to a point. Of course new OS releases should be able to make use of newly-introduced firmware services. It is reasonable, on the whole, to expect that the required minimum firmware is installed for a given OS, so long as the OS upgrade itself installs the firmware. But I don’t believe this should be generally applicable in reverse: there are countless good reasons (such as the obvious one of rolling back an OS upgrade) why older software (or an alternative OS, for that matter) is left with newer firmware. It should be Apple’s responsibility to cope, as best they can, with the very real possibility of firmware not matching the OS release. They have done a lot recently to try to dissuade people from the most obvious causes of firmware incompatibility, such as imaging (and, incidentally, in the process, demonstrated the dreadful level of technical writing we’re spoon-fed) but in the end it is an inevitability that it will happen, so they should I think be prepared for the worst eventualities. So long as there’s a new long-term strategy for making sure any given system, with any given OS release, is running the latest firmware, in a timely manner, I think they’ll have met that obligation. Users should never need to manually intervene as I did to try and patch the system firmware to a higher build, just because they aren’t running the right OS. (FYI, this is 10.10.5 (14F2511) on an iMac 15,1, running firmware IM151.0211.B00, which is the version installed by High Sierra. It was on IM151.0207.B09 from Yosemite; the Sierra installer brought that to B27 with the new start-up hotkey feature.)
    
    Cheers,
    
    Sabahattin
    
    LikeLike
    - 4
      
      hoakley on October 2, 2017 at 11:59 am
      
      Yes, I note a lot of “shoulds”.
      The problem with updating or changing your EFI firmware is that, if there is a disaster, your Mac cannot boot. There is no recovery mode. All you can do is send your Mac to an authorised Apple repairer and pay for it to be unbricked.
      So unless you really know what you are doing – and could afford to be without your Mac for a week or so – you should leave firmware changes to Apple’s system updates and upgrades.
      Howard.
      
      LikeLike
5

Sebby on October 2, 2017 at 12:33 pm

Yes, there is definitely risk, of course, as with any firmware update, and there is always the possibility that doing this will fail in some way that it might not otherwise have. It’s certainly not something I’d prefer to do on a regular basis (and hopefully I won’t have to, after High Sierra), and I wouldn’t recommend it to anybody who wasn’t confident. But having examined the packages carefully, my opinion is that it was an acceptable risk (it just puts the firmware into the ESP, and you reboot to run the updater). But of course, YMMV, and I’ve got nothing against people who prefer to play it safe. I needed the update, for a specific feature which I now have.

Sabahattin

LikeLike
- 6
  
  hoakley on October 2, 2017 at 2:22 pm
  
  In case anyone is wondering what should happen if your EFI firmware becomes corrupted or damaged, it is detailed here. TL;DR: cross your fingers, wait, and hope (for recent models).
  Howard.
  
  LikeLike
7

Philip Noguchi on October 2, 2017 at 3:23 pm

Thank you for the extensive information on all things mac, but especially on the High Sierra firmware issue. I note in your article on on Startup tones, EFI, etc the paragraph:

“EFI ROM updates only occur now as part of a macOS update. All models which are upgraded to run High Sierra receive a firmware update as part of that installation. These are usually listed in the Installations item in System Information, which will also give full details of the installed version.”

I looked in my System Information Installations and was not able to discern where this information exists. I found far too many entries and software updates, but not on firmware updates. I hope you can give some tips on exactly how to access this information.

Philip Noguchi

LikeLiked by 1 person
- 8
  
  hoakley on October 2, 2017 at 3:33 pm
  
  Open About This Mac, and click on the System Report button to open System Information.
  With Hardware selected at the left, the Boot ROM Version states your current EFI firmware version. The value given is a two-letter model (e.g. IM = iMac), the Apple model code (171 = 17,1), then the next four hex digits are the major version (here 0110) and the final three are the minor version (here B00).
  Then go down to Software, and select Installations at the left. In the list of installations, click twice on the Install Date column header, and it will be sorted in time order, the most recent at the top. You can then scroll down to the Install macOS High Sierra item and discover that the installer did not, on this occasion, record that any firmware update had been performed.
  That may mean that no firmware update was performed (I doubt that, from my own evidence here), or that the firmware updater ran silently and didn’t register the update – which is typically useless and unhelpful to the users.
  Perhaps instead of writing “usually” I should have said “when Apple feels like it”!
  Howard.
  
  LikeLike
  - 9
    
    Philip Noguchi on October 2, 2017 at 7:05 pm
    
    Thank you for the walkthrough. I looked at all the Install macOS High Sierra listings including a number of developer betas I had downloaded, and all of them did not have any information on a firmware update… Maybe this is another ‘feature’ of High Sierra, another piece of info being hidden.
    
    By the way, my current EFI firmware is MBP91.00D7.B00, which is different in the Duo report. Like you I haven’t a clue whether this is newer that the last one.
    
    Phil
    
    LikeLiked by 1 person
    - 10
      
      hoakley on October 2, 2017 at 7:08 pm
      
      It’s great, isn’t it? I only know because of the screenshots which I take for this blog, and for my section in MacFormat magazine.
      Howard.
      
      LikeLike
11

Philip Noguchi on October 2, 2017 at 8:58 pm

I just used an app call “Suspicious Package” (http://www.mothersruin.com/software/SuspiciousPackage/) to look at the InstallESD.dmg in the HIgh Sierra release. I examined the FirmwareUpdate.pkg, and in the 211 scripts that were found, under Tools/EFIPayloads was a script labeled IM171_0110_B00.fd and one labeled MBP91_00D7_B00.scap

Those labels match your current firmware for the iMac17,1 and my current firmware for the MacBookPro9,2. There is another script labeled MBP91_0159_B00.fd which matches the firmware shown in the DUO report.

Interesting, no?

LikeLike
- 12
  
  hoakley on October 2, 2017 at 9:09 pm
  
  Thank you – that is fascinating. 211 scripts for firmware updates? That sounds an awful lot of different Mac models!
  (I did look inside the installer to see if the firmware update installer package revealed its contents, but it refused to oblige from the Installer app.)
  Now that I have reversed the logarchive bundle format, I have the complete logs from my MacBook Air to work through; they cover the installation of the upgrade and conversion to APFS, although not the phase during which it was booted from the installer contents. I have already seen some interesting entries there…
  Howard.
  
  LikeLike
13

Sam J on October 2, 2017 at 9:37 pm

Fine, be like Windows where 99.999% of computers never had a BIOS update.

Starting with Skylake, Microsoft is requiring all Win 10 logo’ed systems to expose the EFI capsule update mechanism, and BIOS updates will be installed automatically in the same way security updates are (no opt-out).

LikeLike
- 14
  
  hoakley on October 2, 2017 at 10:27 pm
  
  The comparison with Windows isn’t, I think, a good one. Microsoft makes very few Windows computers. Apple has complete control over Mac hardware, firmware, and (apart from with Boot Camp) operating systems. It really shouldn’t have a problem keeping users with up-to-date firmware, should it?
  Howard.
  
  LikeLike
  - 15
    
    Sam J on October 3, 2017 at 1:29 am
    
    The problem is worse on Windows as evidenced by a number of recent firmware vulnerabilities. Starting from Thunderbolt, Apple has been cleaning up their firmware, where PC vendors treats Windows Logo as their sole requirements. From skimming release notes, Apple has only needed to fix rowhammer and some DMA attack issues.
    
    Also I skimmed their paper and they did not mention anything about detection of Hackintoshes or virtual machines, both of which would obviously lead to an EFI mismatch. Seems like a glaring hole without an explanation of how they excluded this. (In both cases, you boot whatever EFI you provide, and copy some specific strings and tables over from the host machine)
    
    LikeLike
    - 16
      
      hoakley on October 3, 2017 at 6:22 am
      
      I don’t think that Apple will ever do anything to support ‘Hackintoshes’, which are the Mac equivalent of jailbreaking. Nor should we expect them to do so.
      Virtual machines are different, though. Perhaps the onus there is on the vendor of the virtualisation environment.
      Howard.
      
      LikeLike

·Comments are closed.

Share this:

Related