How High Sierra checks your EFI firmware

One of the better-hidden changes in High Sierra is its ability to check the integrity of the EFI firmware in your Mac. It is well-hidden, because it has been running quietly in every Mac which has been upgraded to High Sierra, yet very few users are aware of it, nor of its importance.

EFI firmware, like most firmware, is a security nightmare. Before High Sierra, Macs of the same model were running many different versions, some several years out of date, which could account for all sorts of compatibility issues. Although it should be very hard for malware to alter the firmware, any that do would be supremely persistent, and (before High Sierra) almost impossible to detect.

Apple decided that enough was enough, and High Sierra was the time to put an end to this mess and mass vulnerability. The answer is a tool tucked away in /usr/libexec/firmwarecheckers: eficheck. It runs quietly once a week, checks that your Mac’s EFI firmware is in its approved list, and that it hasn’t been altered or corrupted. So long as those are true, you won’t see anything of it.

By upgrading to High Sierra, your firmware should have been updated to a version on the approved list; if it hasn’t, you should have been alerted of that fact, and hopefully Apple support will have guided you to a solution already.

If the version is good, but your installed firmware doesn’t match expectations, you should be invited to send the results as a report to Apple. This doesn’t necessarily mean that there’s a problem: eficheck calculates hashes from the installed firmware, and compares those against lists which it keeps in an Allow List, currently over 2,000 files in the bundle EFIAllowListShipping.bundle.

In some cases, non-matching hashes may be perfectly acceptable, and help Apple update the Allow List. In other cases, non-matching hashes will indicate accidental corruption of the EFI firmware, or potentially its modification by malware. By sending the report to Apple, its firmware engineers can check what is going on.

It has been suggested that eficheck refers to an online Allow List, but I can find no evidence that is the case. Instead, each update to High Sierra has brought changes to EFIAllowListShipping.bundle which incorporate new firmware updates and Apple’s growing database of firmware hashes. I think it had originally been suggested that this Allow List should be an additional silent security update; as EFI firmware updates now only come as part of a macOS update, that shouldn’t be necessary.

If you have seen the eficheck dialog and made a decision which you want to change, eficheck does store your preference in a file, although it’s not clear which one at present.

The adventurous can run eficheck themselves, at the command line in Terminal. It should tell you its usage if you just enter
/usr/libexec/firmwarecheckers/eficheck/eficheck

It currently support five options:

--integrity-check, which performs checks against the current Allow List in EFIAllowListShipping.bundle;
--generate-hashes, which analyses the EFI firmware and stores its hashes into files;
--show-hashes, which simply shows the EFI firmware hashes;
--save, which will save the EFI firmware to a binary file;
--cleanup, which is used to prepare a binary copy of the firmware created using --save for sharing with Apple.

Of those, some require root privileges, and the only command even the most insatiably curious are likely to use is
/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check
which runs a check of the EFI firmware. You should see a response like
EFI Version: MBP141.88Z.0173.B00.1802081002 Primary allowlist version match found. No changes detected in primary hashes.

Any errors which eficheck encounters when it is run are written to the unified log, for ready reference.

eficheck is an unsung hero in High Sierra, a big step forward for ensuring more consistency in firmware, so improving stability, and in protecting against the very real threat of EFI malware, which could otherwise be devastating to users.

Note: eficheck doesn’t work on T2-equipped Macs such as the iMac Pro or the MacBook Pro 2018, which receive their firmware updates by a different mechanism, for which Apple considers these checks unimportant. No sooner than Apple introduces a valuable improvement than it brings out models which are an exception.

2Comments

Add yours

1

Joss on September 29, 2018 at 6:37 am

EFICheck is not possible from userland on Macs with T2 chip; you will get the following error message:

ReadBinaryFromKernel: No matching services found. Either this system is not supported by eficheck, or you need to re-load the kext
IntegrityCheck: couldn’t get EFI contents from kext

Apple says that eficheck is not necessary anymore on T2 Macs: “The architecture for T2 systems is such that there is much less value in attempting to make eficheck work with it, and thus enhancements are not currently on our plans.”

https://openradar.appspot.com/radar?id=5020911870672896

LikeLiked by 1 person
- 2
  
  hoakley on September 29, 2018 at 6:41 am
  
  Thanks – yes, that is noted on other pages here about EFI firmware. I will add a note to make this clear here too.
  Howard.
  
  LikeLike

Share this:

Related