How High Sierra checks your EFI firmware

One of the better-hidden changes in High Sierra is its ability to check the integrity of the EFI firmware in your Mac. It is well-hidden, because it has been running quietly in every Mac which has been upgraded to High Sierra, yet very few users are aware of it, nor of its importance.

EFI firmware, like most firmware, is a security nightmare. Before High Sierra, Macs of the same model were running many different versions, some several years out of date, which could account for all sorts of compatibility issues. Although it should be very hard for malware to alter the firmware, any that do would be supremely persistent, and (before High Sierra) almost impossible to detect.

Apple decided that enough was enough, and High Sierra was the time to put an end to this mess and mass vulnerability. The answer is a tool tucked away in /usr/libexec/firmwarecheckers: eficheck. It runs quietly once a week, checks that your Mac’s EFI firmware is in its approved list, and that it hasn’t been altered or corrupted. So long as those are true, you won’t see anything of it.

By upgrading to High Sierra, your firmware should have been updated to a version on the approved list; if it hasn’t, you should have been alerted of that fact, and hopefully Apple support will have guided you to a solution already.

If the version is good, but your installed firmware doesn’t match expectations, you should be invited to send the results as a report to Apple. This doesn’t necessarily mean that there’s a problem: eficheck calculates hashes from the installed firmware, and compares those against lists which it keeps in an Allow List, currently over 2,000 files in the bundle EFIAllowListShipping.bundle.

In some cases, non-matching hashes may be perfectly acceptable, and help Apple update the Allow List. In other cases, non-matching hashes will indicate accidental corruption of the EFI firmware, or potentially its modification by malware. By sending the report to Apple, its firmware engineers can check what is going on.

It has been suggested that eficheck refers to an online Allow List, but I can find no evidence that is the case. Instead, each update to High Sierra has brought changes to EFIAllowListShipping.bundle which incorporate new firmware updates and Apple’s growing database of firmware hashes. I think it had originally been suggested that this Allow List should be an additional silent security update; as EFI firmware updates now only come as part of a macOS update, that shouldn’t be necessary.

If you have seen the eficheck dialog and made a decision which you want to change, eficheck does store your preference in a file, although it’s not clear which one at present.

The adventurous can run eficheck themselves, at the command line in Terminal. It should tell you its usage if you just enter
/usr/libexec/firmwarecheckers/eficheck/eficheck

It currently support five options:

  • --integrity-check, which performs checks against the current Allow List in EFIAllowListShipping.bundle;
  • --generate-hashes, which analyses the EFI firmware and stores its hashes into files;
  • --show-hashes, which simply shows the EFI firmware hashes;
  • --save, which will save the EFI firmware to a binary file;
  • --cleanup, which is used to prepare a binary copy of the firmware created using --save for sharing with Apple.

Of those, some require root privileges, and the only command even the most insatiably curious are likely to use is
/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check
which runs a check of the EFI firmware. You should see a response like
EFI Version: MBP141.88Z.0173.B00.1802081002
Primary allowlist version match found. No changes detected in primary hashes.

Any errors which eficheck encounters when it is run are written to the unified log, for ready reference.

eficheck is an unsung hero in High Sierra, a big step forward for ensuring more consistency in firmware, so improving stability, and in protecting against the very real threat of EFI malware, which could otherwise be devastating to users.