Apple has again been the master of surprise. Although we all expected new Macs and iPads to be announced last week, few had predicted that Apple would leave its iMacs, both regular and Pro, completely unrevised. In addition, many had expected Mojave 10.14 to bring EFI firmware updates, not the 10.14.1 update, and surely no one anticipated how that would work out.
Over a year ago, for the ill-fated release of High Sierra, Apple set its firmware engineers a daunting task: end the EFI chaos, in which many Macs were still running firmware which was way out of date despite using far more recent releases of macOS.
High Sierra introduced a new tool,
eficheck, which runs every week or so and checks that the current EFI firmware hasn’t been tampered with, and is within its fairly generous allow list. For example, a MacBook Pro Retina 13-inch Late 2012 (MBP10,2) is allowed any of 145 different firmware versions according to the latest allow list. Those range from its release in 2012 to the latest of September this year.
eficheck only reports problems, firmware versions which aren’t in its allow list, and those whose checksums don’t add up correctly. For many models, it doesn’t require your Mac to be running the latest firmware, not in the least.
When last week’s EFI firmware updates were installed, most Mac users – whether running Sierra, High Sierra or Mojave – found that the Boot ROM Version reported by System Information hadn’t just augmented, but had changed its entire format out of the blue. Further investigation revealed that no one had told
eficheck about these changes either, and it continues to report EFI Versions in the old format, with completely different numbers.
Apple hadn’t warned users of the firmware update, nor of the change in its numbering system. It still (as of 3 November) hasn’t had the decency to post any Release Note, Support Note or developer documentation informing us of this sudden change. Nor has it taken the slight trouble to explain what any of the version numbers mean.
Let me have a go at filling this important gap.
EFI firmware now has two quite different designators which can be used to indicate its version. The ‘new’ numbering shown in System Information is currently of little or no use, as it is model-specific. So you’ll find oddities like the iMac15,1 and MacBookPro9,1 have exactly the same version number. In future, when Apple releases new EFI firmware, those version numbers should increment, but as Apple doesn’t tell us which are the current versions, we’ll be left wondering what those numbers should say.
The more important designator is that given and used by
eficheck, which is only accessible through the command line, or in LockRattler. This consists of three important parts: the model designator, EFI firmware version, and its datestamp, such as
IM183 indicates the model is an iMac18,3 (which may differ from that shown in System Information too), that its EFI firmware is version number
F000.B00 (which might now mean that it no longer has a distinct version number), and that the datestamp of that firmware is 18/09/28 08:42. Of these, it is the datestamp which now comes closest to being a version number for any given model.
eficheck designator is that used to check against the allow list, and in more recent models
eficheck now only accepts the most recent designator. In these, the old version number is uniformly
F000.B00 across many different models, so the critical components are the model designator and the datestamp. Of course, Apple doesn’t provide a listing of the current values, but it is at least easy to see when the firmware engineers created that particular version.
There are currently many anomalies between the two numbering systems. I have already pointed out that the first number given in the new-format versions isn’t a model designator, and can appear in several different models. Even within a group of models, that number can be misleading. For example, the iMac16,1 and iMac16,2 show the same new version number (18.104.22.168.0), and their old version number is also identical (0221.B00), but their firmware differs in datestamp: respectively 1809171321 and 1809171530.
One reader reports that System Information says his iMac is an iMac18,2 with a Boot ROM Version of 22.214.171.124.0, but
eficheck gives it a designator of
IM183.88Z.F000.B00.1809280842, which is correct for an iMac18,3 after this latest round of firmware updates.
It’s almost as if Apple doesn’t want us knowing about the EFI firmware in our Macs, so has obfuscated and confuddled them to the point where most users will just give up. If
eficheck only ever checked that a Mac was running the current version, and macOS installers and updaters reliably updated EFI firmware, then this might have worked.
Apple is perhaps patting us gently on the head, telling us not to worry, as it has got it all sorted. Has it? Not from what I can see. Instead it has turned what was becoming much better ordered and robust, into confusion and inconsistency.
Of course none of the above concerns those new Macs with a T2 chip, where Apple considers that verifying the EFI firmware is so important that it can’t be left to the likes of
eficheck. It there requires an immutable ‘hardware root of trust’ to evaluate the T2 kernel cache, which in turn verifies the EFI firmware.
For the approximately 100 million Macs in use which don’t have T2 chips, we’ll just have to live with two version numbering systems, utter confusion, and no documentation at all. But that is perhaps the least surprising outcome of last week.