hoakley March 8, 2021 Macs, Technology

Why is firmware so troubled?

None of us wants to talk about firmware. Not firmware engineers, who want it to just work, of course. Not Apple, who don’t want users worrying about the innards of their Macs or devices. Not users, because it’s not well understood and should just get on with its job. And, most important of all, not those who support Macs, because it’s so difficult. If you can bear with me, I’ll try to break that silence a little.

In the simple model of how computers work, firmware sits between the hardware and software, the latter including the kernel and low-level OS functions. In truth, it’s not a single entity: in an Intel Mac, the main processor has EFI firmware, any T2 chip its iBridge firmware, and each of the major subsystems such as SMC, disk controllers, and Ethernet interface, have their own firmware too.

It’s hardware-specific, and has undergone complete change each time that Macs have switched architecture: Classic Mac firmware for the Motorola 68K family was replaced by Open Firmware when PowerPC models arrived, that in turn was replaced by EFI firmware for Intel Macs, and we’re currently undergoing yet another change with the arrival of Apple Silicon systems. Difficult and possibly dry it might be, but firmware is ever-changing and deeply important to our Macs.

Firmware is also one of the most serious issues in security. An attacker who gains access to your Mac’s firmware owns it before it has even started up. Malware in firmware is the ultimate in persistence and control. It’s such a serious issue that Intel has introduced its Hardware Shield, Dell has SafeBIOS, and Microsoft has Secure Launch. In March 2015, two security researchers from LegbaCore, Xeno Kovah and Corey Kallenberg, demonstrated proof-of-concept attacks on the BIOS of several computers including Dell, HP, and other PCs which could implant malicious code. Later that year, Kovah and Trammell Hudson turned their attention to Macs, demonstrating a firmware worm named Thunderstrike 2.

Until 2015, Apple supplied EFI firmware for Macs separately from updates to OS X, and those are still available today. However, this was a bad system for several reasons, so from then on firmware updates have only been supplied as part of system upgrades and updates. This has resulted in the orphaning of Macs running older and unsupported versions of macOS: if your Mac is still running Sierra, for instance, the most recent firmware it can normally have installed is the last which was bundled in the last security update for Sierra, which was 2019-004, released on 22 July 2019.

Then in 2017, Rich Smith and Pepijn Bruienne of Duo Labs undertook research to assess the state of EFI firmware in Macs, and discovered that many were running outdated versions. Their concern was less about potential bugs and other problems, and more about the security risk that this posed. Duo Labs released an online tool for checking whether a Mac’s firmware was up to date, and on 4 October 2017 I published my first listing of current firmware versions here, following detailed explanation of the problem. With the help of readers, notably Pico, I’ve since tried to maintain a list of current firmware versions for all reasonably recent Macs.

Apple had already been busy, hiring Xeno Kovah and Corey Kallenberg who started work there on 10 November 2015, and Nikolaj Schlej, another firmware security researcher, who joined them on 5 August 2016. They developed a new tool eficheck which was released in High Sierra, on 25 September 2017, before the virtual ink had dried on the Duo Labs report. Each week, eficheck checks the current firmware against a local database of versions which are known to be ‘good’, and (with the user’s permission) sends a report to Apple in the event that it finds discrepancies. Apple’s thrust here was less about ensuring that firmware was the latest version, and more concerned with detecting anomalies which could indicate malware.

High Sierra also brought a more rigorous policy of maintaining firmware in Macs running older, but still-supported, versions of macOS, with regular Security Updates, as I explained in early 2018. This was followed by a new system for numbering firmware versions, which was introduced on 30 October 2018, and made it much easier to track whether Macs are up to date, although as Apple hasn’t provided any list of current firmware versions, users have always had to rely on third parties such as Duo Labs and my articles here. This is in spite of the fact that the current firmware version is displayed in System Information, a fact of no value unless you can discover which version number it should be running.

As more users have been able to check the version of firmware in their Mac against lists of what’s current, many have reported anomalies, in which, despite keeping up to date with the latest version of macOS, their Mac seems stuck on an old firmware version. In an effort to make checking firmware even easier, on 4 July 2019 I released the first beta-test of a new app EFIcienC, which automatically compared the version found against lists which I maintain on my GitHub. This app later became SilentKnight, which now checks a full range of security data versions and other important settings.

Although in the two years which had passed since the Duo Labs report and Apple’s introduction of eficheck relatively few Macs appeared to be running very old firmware, it has also become clear that there remain problems with updating firmware in Intel Macs. Because eficheck is still largely concerned with detecting potential malware, reports it has sent to Apple can’t convey the difficulties that some have experienced.

For example, one user had upgraded his Mac Pro (Late 2013) by replacing its internal storage, and they had to remove that and restore their Mac with its original Apple-fitted SSD before any macOS update would perform a firmware update. Some variants of other models also proved a problem, but one stood out as being exceptionally prone to failure, the iMac Retina 5K, 27-inch, Late 2015 – the dreaded iMac17,1.

Over the last couple of years, most of these problems have been resolved, leaving just that one model in trouble, the iMac17,1.

In the meantime, Macs have moved on too. The T2 chip now fitted as standard to Intel models has greatly complicated firmware, as the T2 runs its own iBridge firmware, and problems updating that have rendered a few Macs unbootable, or ‘bricked’. As those issues have become rarer, we now have completely new Macs based on the M1 SoC, whose firmware is more closely related to that used in iOS/iPadOS devices, and not in the least bit EFI. Like Intel Macs with a T2 chip, M1 Macs only have one common firmware (or iBoot) version number, and updating them appears far more reliable.

Firmware will continue to pose problems for those running Intel models without T2 chips, but as they’re progressively replaced by Apple Silicon Macs, it looks as if the problems first publicised by Duo Labs over three years ago will continue to fade into the past. It’s only appropriate that Apple’s firmware security engineers, including Xeno Kovah and Nikolaj Schlej, and perhaps Corey Kallenberg too, have seen this through from their work on eficheck to the M1 firmware. Without them, who knows what might have happened to Mac firmware.

14Comments

Add yours

1

Albert Godfrind (@agodfrin) on March 8, 2021 at 10:00 am

Sorry for the seemingly silly question, but how can I know whether the macBook I’m using is using the T2 chip ? I looked at the SilentKnight output and it does not say whether it does or not. It is probably implied somewhere in the output …

LikeLiked by 1 person
- 2
  
  hoakley on March 8, 2021 at 1:07 pm
  
  Thank you.
  You can tell from the text report. If the EFI version contains two pairs of version numbers like
  EFI version found 1554.80.3.0.0 (iBridge: 18.16.14347.0.0,0); expected 1554.80.3.0.0 iBridge 18.16.14346.0.0
  then it has a T2 chip. If there’s only one, like
  EFI version found 464.80.3.0.0; expected 464.80.3.0.0
  then it doesn’t have a T2 chip.
  Howard.
  
  LikeLike
3

Jon Bullard on March 8, 2021 at 12:43 pm

There seems to be a typo in your GitHub repo; in https://github.com/hoakleyelc/updates/blob/master/MacBookPro.plist

There is no entry for a “MacBookPro9,2”. However, at line 123 there is an entry for “MacBookPro9.2”.

LikeLiked by 1 person
- 4
  
  hoakley on March 8, 2021 at 1:03 pm
  
  Thank you very much indeed: now corrected.
  Howard.
  
  LikeLike
5

BKDad on March 8, 2021 at 1:18 pm

So, I guess Apple’s solution is progress though obsolescence. :8^)

In a way, that’s not entirely a bad idea. As older machines fade away in whatever form, they become less appealing for whomever to build malware for. Why waste your time and energy on making malware for 2006 iMacs, as an example? I suspect this is one of the (many) reasons why Windows computers are the most popular targets for malware. Better yield for the effort required.

I guess then the practical effect of this is when somebody wants to update their iMac 17,1 to Big Sur (for example) and they’re stuck on older firmware. That makes the recovery system less friendly and efficient. Perhaps Apple could’ve saved some users and themselves an AppleCare headache if they’d just said, “Big Sur won’t work on 2015 iMac models – stick with Mojave or Catalina. We’re still supplying Security Updates for both.” (They still are, aren’t they???)

Thank you for the clear analysis, Howard!

LikeLiked by 1 person
- 6
  
  hoakley on March 8, 2021 at 6:09 pm
  
  Thank you.
  Yes, Apple provides Security Updates for the last two major versions of macOS, currently Mojave and Catalina, which keep them in sync with the latest firmware which is common to Big Sur. It’s only the minority of iMac17,1 users who haven’t been able to update their firmware from before Catalina.
  So there is obsolescence to a degree, but it’s not as rapid as many would have you believe. The big test is how long Apple continues to support Intel Macs. Given that the current models tend to be towards the upper specs, I suspect this will be for some years to come yet.
  Howard.
  
  LikeLike
  - 7
    
    BKDad on March 8, 2021 at 6:22 pm
    
    That would be fine by me. I’ve generally found that Apple hardware outlasts the software. By that, I mean that with some proper maintenance, older Macs can perform well a long time after they are supposed to be obsolete. It’s just that some of the software features age or become obsolete.
    
    Side note: I use a 2006 white iMac on the lab bench. It is running Snow Leopard and will run Windows 7 through Boot Camp. Maximizing the memory and replacing the spinning drive with an SSD really changed its performance. The Core 2 Duo will run engineering simulations on Windows 7 in about 150% of the time it takes for me to do the same on my work issued Windows computer with an i7 processor.
    
    Based on my recent MacBook Air M1 experience, I suspect we’ll be looking at a new iMac whenever those arrive. Then, this iMac 17,1 may well push the 2006 iMac aside on the workbench. Just add in Windows 10 in a Boot Camp partition.
    
    I feel a strong desire to not toss machines into a landfill. That means finding a new use for them here, since it’s almost impossible to even plain give away computers more than a year or two old it would seem. Go figure.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on March 9, 2021 at 12:01 am
      
      I have a house full of old Macs, and tens of thousands of old books. I’ve got a Mac Portable, a IIfx, an Xserve, an 8-core Mac Pro, and many many more. It’s been a long time since I last ran the IIfx, though.
      Howard.
      
      LikeLiked by 1 person
    - 9
      
      BKDad on March 9, 2021 at 3:18 am
      
      We had an Apple iiC that we gave to my daughter’s Montessori school. That was our earliest Apple product. That time, we were smart enough to give it away when it was still a current product. Since then, the Macs have kept piling up. I try not to think about it too much, but my wife reminds me every few months.
      
      BTW… The eficheck authors did their jobs well. Got two reports in the last two days. Both were dutifully sent to Apple where, well, we don’t know what happens there, do we?
      
      LikeLiked by 2 people
    - 10
      
      hoakley on March 9, 2021 at 7:30 am
      
      Thank you.
      I’ve not heard of Apple getting in touch with anyone whose eficheck sent them a report, so I suspect it’s still information gathering rather than individual diagnostics, and aimed entirely at security.
      Howard.
      
      LikeLiked by 1 person
11

Mac House Calls (Joshua Fried) on March 8, 2021 at 6:34 pm

“The T2 chip now fitted as standard to Intel models has greatly complicated firmware…”
That makes sense.

But then, you confuse me:
“Like Intel Macs with a T2 chip, M1 Macs only have one common firmware (or iBoot) version number, and updating them appears far more reliable.”

Maybe I don’t understand “common” here, or I’m missing something else, but it seems to me that M1 firmware update reliability is *unlike* T2 Mac firmware update reliability.

LikeLiked by 1 person
- 12
  
  hoakley on March 9, 2021 at 12:06 am
  
  Sorry – let me explain.
  Prior to T2 chips, most models have model-specific firmware. Macs with T2 chips and M1 Macs each have the same version of firmware across that architecture. That’s the nub of the first part of that sentence.
  Although there have been some disastrous failures to update T2 firmware, and it remains a scary experience, I have yet to hear of any T2-equipped Mac which won’t update, in the way that older Intel Macs can. Similarly, I haven’t heard of anyone who couldn’t get their M1 Mac to update iBoot. Maybe I’ve just lived a sheltered life?
  Howard.
  
  LikeLiked by 1 person
13

Pico on March 8, 2021 at 8:50 pm

The mention in your article is much appreciated, thank you!

Also, great overview of the state of Mac firmwares past, present, and future.

I had been meaning to get in touch to see if you had a chance to take a look at the two issues I posted on your GitHub. One issue was about the MacBookPro9,2 typo that another commenter just mentioned in this article and you have just fixed.

The other issue is also relevant to this article in that is an idea about how to handle the latest firmware version displayed in SilentKnight for folks running on High Sierra. I was thinking it may get confusing if SilentKnight is reporting firmware versions that are unattainable on High Sierra as the latest version. Maybe my proposal in the GitHub issue is one way, or another could be to simply add a note within SilentKnight that firmware updates are no longer available for High Sierra and the OS must be updated to receive the latest listed firmware.

LikeLiked by 1 person
- 14
  
  hoakley on March 9, 2021 at 12:11 am
  
  Thank you, Pico. Sorry, I don’t use my GitHub as anything other than an online resource for the firmware versions and other files. It’s much better to post comments here, please.
  I’ll be reviewing how SK handles out-of-date firmware, thanks. I actually do think it’s worth telling people what they could have installed if they were to update – we all get too complacent about old versions being just fine, and things haven’t really changed that much, when the macOS we’re running hasn’t had a single security update or any other maintenance for several years.
  Howard.
  
  LikeLiked by 1 person