Restoring order to EFI firmware

Mac firmware had quietly become one of the platform’s most worrying problems. Six months ago, you could have picked a handful of the same model of Mac and found them running several different versions of EFI firmware. Although no worse than Windows PCs, as all Macs are made and sold by the same manufacturer, there was no excuse for such chaos.

The situation also had all the ingredients of a security disaster. Should malware get into the EFI firmware, with so many different versions around, it would be almost impossible to detect. Firmware malware is just about as persistent as it gets, so even if you knew a Mac was infected, it could be almost impossible to remove. Had any malware developers turned their attentions to Mac EFI firmware, the effects could have cast Macs out as pariahs for a long time to come.

Thankfully, Apple decided that it needed to get a grip on this, and hired three engineers to tackle the problem. They built a new utility eficheck into High Sierra, and started collecting valuable information about what really was in EFI firmware in Macs being used in the real world.

High Sierra also brought EFI firmware updates which have been installed on every Mac which has been upgraded to the new version of macOS, with the possible exception of ‘hackintoshes’ for which Apple quite reasonably doesn’t feel responsible.

The delivery of El Capitan and Sierra Security Updates 2018-001 marks the second stage in Apple’s campaign to bring order to EFI firmware: Macs running those two releases of macOS have now been updated to the same, uniform versions of EFI firmware (with two small exceptions). Provided that a Mac has been kept updated, if it is running macOS 10.11.6 or later, it should at last be using standard EFI firmware for that model.

This brings many benefits to users. Although there are undoubtedly some bugs remaining in different EFI firmware, they should now be consistent across each model. If one of those bugs renders macOS unstable on, say, a particular MacBook Pro, then all of that model should be equally affected, and when the firmware engineers fix that bug in a firmware update, every one of those affected Macs should enjoy that fix.

Other Apple engineers working on the deeper parts of macOS which interact with the firmware should be able to get it right more reliably, as they won’t be trying to cater for several different firmware versions, just the one for each model. Solutions to kernel panics and Bluetooth issues, for example, should be easier to arrive at, and more effective for users.

Above all, should any malware turn to the firmware, it should now be readily detectable – at least in High Sierra, which will continue to check its firmware each week. Instead of providing data for research, those checks can now be relied on as assessments of the integrity of the firmware.


Once you have installed the High Sierra 10.13.3 update, or either of the two Security Updates 2018-001 for Sierra or El Capitan, it is worth taking a moment to check your EFI Firmware. In the Apple menu, select About This Mac, then click on the System Report… button. Match the Boot ROM Version shown there against my list of current EFI firmware versions.

If they match, you shouldn’t have to worry about firmware issues in the future, so long as you keep up with Apple’s updates. If they don’t, you could try downloading the standalone installer for the update, and installing that. You’ll find those

  • here for High Sierra 10.13.3 for most models
  • here for High Sierra 10.13.3 for the iMac Pro
  • here for the Combo update for High Sierra 10.13.3
  • here for Sierra Security Update 2018-001
  • here for El Capitan Security Update 2018-001.

If your Mac still won’t come up to the current version, then you need to contact Apple support.

Thank you Xeno Kovah, Nikolaj Schlej, Corey Kallenberg, and the other engineers at Apple who have been responsible for sorting this out.