Why is firmware so troubled?

None of us wants to talk about firmware. Not firmware engineers, who want it to just work, of course. Not Apple, who don’t want users worrying about the innards of their Macs or devices. Not users, because it’s not well understood and should just get on with its job. And, most important of all, not those who support Macs, because it’s so difficult. If you can bear with me, I’ll try to break that silence a little.

In the simple model of how computers work, firmware sits between the hardware and software, the latter including the kernel and low-level OS functions. In truth, it’s not a single entity: in an Intel Mac, the main processor has EFI firmware, any T2 chip its iBridge firmware, and each of the major subsystems such as SMC, disk controllers, and Ethernet interface, have their own firmware too.

It’s hardware-specific, and has undergone complete change each time that Macs have switched architecture: Classic Mac firmware for the Motorola 68K family was replaced by Open Firmware when PowerPC models arrived, that in turn was replaced by EFI firmware for Intel Macs, and we’re currently undergoing yet another change with the arrival of Apple Silicon systems. Difficult and possibly dry it might be, but firmware is ever-changing and deeply important to our Macs.

Firmware is also one of the most serious issues in security. An attacker who gains access to your Mac’s firmware owns it before it has even started up. Malware in firmware is the ultimate in persistence and control. It’s such a serious issue that Intel has introduced its Hardware Shield, Dell has SafeBIOS, and Microsoft has Secure Launch. In March 2015, two security researchers from LegbaCore, Xeno Kovah and Corey Kallenberg, demonstrated proof-of-concept attacks on the BIOS of several computers including Dell, HP, and other PCs which could implant malicious code. Later that year, Kovah and Trammell Hudson turned their attention to Macs, demonstrating a firmware worm named Thunderstrike 2.

Until 2015, Apple supplied EFI firmware for Macs separately from updates to OS X, and those are still available today. However, this was a bad system for several reasons, so from then on firmware updates have only been supplied as part of system upgrades and updates. This has resulted in the orphaning of Macs running older and unsupported versions of macOS: if your Mac is still running Sierra, for instance, the most recent firmware it can normally have installed is the last which was bundled in the last security update for Sierra, which was 2019-004, released on 22 July 2019.

Then in 2017, Rich Smith and Pepijn Bruienne of Duo Labs undertook research to assess the state of EFI firmware in Macs, and discovered that many were running outdated versions. Their concern was less about potential bugs and other problems, and more about the security risk that this posed. Duo Labs released an online tool for checking whether a Mac’s firmware was up to date, and on 4 October 2017 I published my first listing of current firmware versions here, following detailed explanation of the problem. With the help of readers, notably Pico, I’ve since tried to maintain a list of current firmware versions for all reasonably recent Macs.

Apple had already been busy, hiring Xeno Kovah and Corey Kallenberg who started work there on 10 November 2015, and Nikolaj Schlej, another firmware security researcher, who joined them on 5 August 2016. They developed a new tool eficheck which was released in High Sierra, on 25 September 2017, before the virtual ink had dried on the Duo Labs report. Each week, eficheck checks the current firmware against a local database of versions which are known to be ‘good’, and (with the user’s permission) sends a report to Apple in the event that it finds discrepancies. Apple’s thrust here was less about ensuring that firmware was the latest version, and more concerned with detecting anomalies which could indicate malware.

High Sierra also brought a more rigorous policy of maintaining firmware in Macs running older, but still-supported, versions of macOS, with regular Security Updates, as I explained in early 2018. This was followed by a new system for numbering firmware versions, which was introduced on 30 October 2018, and made it much easier to track whether Macs are up to date, although as Apple hasn’t provided any list of current firmware versions, users have always had to rely on third parties such as Duo Labs and my articles here. This is in spite of the fact that the current firmware version is displayed in System Information, a fact of no value unless you can discover which version number it should be running.

As more users have been able to check the version of firmware in their Mac against lists of what’s current, many have reported anomalies, in which, despite keeping up to date with the latest version of macOS, their Mac seems stuck on an old firmware version. In an effort to make checking firmware even easier, on 4 July 2019 I released the first beta-test of a new app EFIcienC, which automatically compared the version found against lists which I maintain on my GitHub. This app later became SilentKnight, which now checks a full range of security data versions and other important settings.

Although in the two years which had passed since the Duo Labs report and Apple’s introduction of eficheck relatively few Macs appeared to be running very old firmware, it has also become clear that there remain problems with updating firmware in Intel Macs. Because eficheck is still largely concerned with detecting potential malware, reports it has sent to Apple can’t convey the difficulties that some have experienced.

For example, one user had upgraded his Mac Pro (Late 2013) by replacing its internal storage, and they had to remove that and restore their Mac with its original Apple-fitted SSD before any macOS update would perform a firmware update. Some variants of other models also proved a problem, but one stood out as being exceptionally prone to failure, the iMac Retina 5K, 27-inch, Late 2015 – the dreaded iMac17,1.

Over the last couple of years, most of these problems have been resolved, leaving just that one model in trouble, the iMac17,1.

In the meantime, Macs have moved on too. The T2 chip now fitted as standard to Intel models has greatly complicated firmware, as the T2 runs its own iBridge firmware, and problems updating that have rendered a few Macs unbootable, or ‘bricked’. As those issues have become rarer, we now have completely new Macs based on the M1 SoC, whose firmware is more closely related to that used in iOS/iPadOS devices, and not in the least bit EFI. Like Intel Macs with a T2 chip, M1 Macs only have one common firmware (or iBoot) version number, and updating them appears far more reliable.

Firmware will continue to pose problems for those running Intel models without T2 chips, but as they’re progressively replaced by Apple Silicon Macs, it looks as if the problems first publicised by Duo Labs over three years ago will continue to fade into the past. It’s only appropriate that Apple’s firmware security engineers, including Xeno Kovah and Nikolaj Schlej, and perhaps Corey Kallenberg too, have seen this through from their work on eficheck to the M1 firmware. Without them, who knows what might have happened to Mac firmware.