The Mac is tantalising in the long lists of information which it can display, for example in System Information. One of the most obvious is what it terms Boot ROM Version, included in the first hardware overview which greets you when you open that app. If your Mac has a T2 chip, you’ll see its Firmware Version given when you select the Controller item. Recorded in Installations is each pushed security update too: at the moment, the last listed here is Gatekeeper Configuration Data version 171.
But what do those version numbers mean? Is my “Boot ROM” – actually EFI Firmware now – up to date? Have I missed any security updates? Is my T2 chip running the recommended current firmware, or has it fallen behind?
The curious fact is that, whilst Apple trusts us to know all those version numbers, it doesn’t trust us to know what they mean. The result is that many Macs aren’t running the current version of EFI firmware for that model, and when its firmware fails to update successfully during a system update, the Mac user isn’t informed of that failure either.
Apple did try to do something about this when it released High Sierra. Since then, every week Macs have automatically run the tool
eficheck, which examines the active EFI firmware and reports whether it’s among those which Apple deems current, and whether its signatures differ. But it doesn’t inform the user of whether that Mac is running the current firmware, and users aren’t made aware of the information it sends back to Apple. Maybe Apple, in its present drive to protect our privacy, considers that information too private for users to know.
In any case, most Mac models now ship with a T2 chip, something which breaks
eficheck. So neither Apple nor Mac users know whether newer Macs have up to date EFI firmware at all.
Until last October, with the EFI firmware updates brought in Mojave 10.14.1, the system for numbering EFI firmware versions was cryptic and messy. Apple therefore replaced it with a numbering system which is still model-specific, so impossible to decipher without being given a model-by-model list. And even more curiously,
eficheck now gives both old and new version numbers – so long as your Mac doesn’t have a T2 chip, in which case it gives neither.
Apple doesn’t provide users any information on:
- current EFI firmware version by model;
- latest release version of XProtect;
- latest release version of Gatekeeper data;
- latest release version of MRT;
- latest release version of the TCC database.
None of this would be important if we could rely on macOS installers and updaters always to bring our Macs fully up to date. But there’s ample evidence, from users who are running Mojave 10.14.5 on systems with EFI firmware which hasn’t even been updated to the new numbering system, that this simply isn’t true. Other users report that they can’t get their Macs to recognise that a security update is available several days after it has been released.
eficheck was introduced because Apple realised that many Macs were running EFI firmware which was very old. This was confirmed publicly by Duo Labs, who published an analysis revealing how many Macs were running EFI firmware which was badly out of date. As
eficheck is only available in High Sierra and later, Macs which are still running Sierra and earlier don’t get their EFI firmware checked at all. Apple seems to have abandoned them, although the evidence from Duo Labs’ study is that it is older Macs which are the most likely to have problems and even firmware vulnerabilities.
It would be so simple for Apple to incorporate checks into System Information to inform users of whether the version numbers listed there for EFI firmware and pushed security updates were up to date. If Apple really wanted to improve the security of our Macs, it’s an obvious step to take. Just as my car warns me volubly if I drive off without my seatbelt fastened, Apple should be encouraging us to ensure our Mac security systems are fully operational, not hiding behind its usual silence.