Firmware on the change: 1 Out with the old

Each time Apple has changed processor architecture, there has been a concomitant change in firmware. The transition from Intel to Apple Silicon has been complicated by an intermediate stage with the T2 processor. As Apple’s support for pre-T2 Intel models starts to wane, these two articles look at where we’ve been, and where we are now.

Classic Mac firmware for the Motorola 68K family was replaced by Open Firmware when PowerPC models arrived in 1994. Open Firmware originated as Sun Microsystems’ OpenBoot, and was adopted most notably by Apple and IBM. Based on the language Forth, PowerPC-based Macs can be booted into an interactive interface which made it straightforward to support and bring up new hardware. It was also a security nightmare.

EFI

In 1998, Intel started work on the original Extensible Firmware Interface (EFI) as a replacement for the BIOS in PCs. By the time Apple was starting its transition from PowerPCs in 2006, EFI was changing into Unified EFI (UEFI), which has since progressed as far as version 2.9 by 2021.

Once a Mac has cleared its initial self-test routines (POST), and key custom chips like the SMC are running, EFI firmware is loaded next. The purpose of the EFI phase and the boot loader boot.efi is to augment the basic facilities provided by BootROM to the point where the macOS kernel can be loaded with its extensions. Key to this is providing access to the Mac’s hardware through the device tree, IODeviceTree, which lists and relates all the devices in that Mac. This is built by boot.efi and passed to the kernel when it loads, and forms the basis for IOKit within macOS.

Model-specific boot.efi software (“OS X booter”) also provides ongoing and additional support for boot services, including memory management, basic functions for timers and events, and for hardware access. It supports basic console protocols for input and output, and access to storage systems. Runtime services extend these to give access to variables stored in the NVRAM, and to GUIDs/UUIDs which are used for key variables in the EFI phase and later.

Most importantly, boot.efi looks for startup key commands (which Apple has termed “snag keys”), such as Command-R to run in Recovery mode, Command-S and -V for Single User and Verbose modes, and Shift for Safe mode. By this stage, some models should have basic Bluetooth support, and may be able to detect startup keys from wireless keyboards.

When Apple introduced Boot Camp, it made changes to boot.efi to support booting from operating systems other than macOS. This essentially provides a suite of drivers which support Mac hardware in terms of a Windows hardware platform, which are engaged when the Mac is to be booted up in that operating system rather than macOS.

Firmware security

An attacker who gains access to a computer’s firmware owns it before it has even started up. Malware in firmware is the ultimate in persistence and control. It’s such a serious issue that Intel has introduced its Hardware Shield, Dell has SafeBIOS, and Microsoft has Secure Launch.

In March 2015, two security researchers from LegbaCore, Xeno Kovah and Corey Kallenberg, demonstrated proof-of-concept attacks on the BIOS of several computers including Dell, HP, and other PCs which could implant malicious code. Later that year, Kovah and Trammell Hudson turned their attention to Macs, demonstrating a firmware worm named Thunderstrike 2.

For the first nine years of Intel Macs, Apple provided EFI firmware updates separately from updates to OS X. That year, Apple changed the way that it supplied EFI firmware, delivering it only as part of system upgrades and updates. Although you can still download older separate firmware today, those are the last to be made available in that way. This has resulted in the orphaning of Macs running older and unsupported versions of macOS: if your Mac is still running Sierra, for instance, the most recent firmware it can normally have installed is the last which was bundled in the last security update for Sierra, which was 2019-004, released on 22 July 2019.

Putting EFI in order

Then in 2017, Rich Smith and Pepijn Bruienne of Duo Labs undertook research to assess the state of EFI firmware in Macs, and discovered that many were running outdated versions. Their concern was less about potential bugs and other problems, and more about the security risk that this posed. Duo Labs released an online tool for checking whether a Mac’s firmware was up to date, and on 4 October 2017 I published my first listing of current firmware versions here, following detailed explanation of the problem. With the help of readers, notably Pico, I’ve since tried to maintain a list of current firmware versions for all reasonably recent Macs.

Apple had already been busy, hiring Xeno Kovah and Corey Kallenberg who started work there in November 2015, and Nikolaj Schlej, another firmware security researcher, who joined them the following August. They developed a new tool eficheck which was released in High Sierra, on 25 September 2017, before the virtual ink had dried on the Duo Labs report. Each week since, eficheck has been checking current firmware against a local database of versions which are known to be ‘good’, and (with the user’s permission) sends a report to Apple in the event that it finds discrepancies. Apple’s thrust here was less about ensuring that firmware was the latest version, and more about detecting anomalies which could indicate malware.

High Sierra also brought a more rigorous policy of maintaining firmware in Macs running older, but still-supported, versions of macOS, with regular Security Updates, as I explained in early 2018. This was followed by a new system for numbering firmware versions, which was introduced on 30 October 2018, and made it much easier to track whether Macs are up to date, although as Apple hasn’t provided any list of current firmware versions, users have always had to rely on third parties such as Duo Labs and my articles here. This is in spite of the fact that the current firmware version is displayed in System Information, a fact of no value unless you can discover which version number it should be running.

As more users have been able to check the version of firmware in their Mac against lists of what’s current, many have reported anomalies where, despite keeping up to date with the latest version of macOS, their Mac seems stuck on an old firmware version. In an effort to make checking firmware even easier, on 4 July 2019 I released the first beta-test of a new app EFIcienC, which automatically compared the version found against lists which I maintain on my GitHub. This app later became SilentKnight, which now checks a full range of security data versions and other important settings.

Although in the two years which had passed since the Duo Labs report and Apple’s introduction of eficheck relatively few Macs appeared to be running very old firmware, it has also become clear that there are still problems with updating firmware in Intel Macs. Because eficheck is still largely concerned with detecting potential malware, reports it has sent to Apple can’t convey the difficulties that some have experienced.

For example, one user had upgraded his Mac Pro (Late 2013) by replacing its internal storage, and they had to remove that and restore their Mac with its original Apple-fitted SSD before any macOS update would perform a firmware update. Some variants of other models also proved a problem, but one stood out as being exceptionally prone to failure, the iMac Retina 5K, 27-inch, Late 2015 – the dreaded iMac17,1.

Change

In 2016, the year before Smith and Bruienne’s report, Apple introduced first the T1 processor, then hot on its heels the T2 the following year. I will consider those in tomorrow’s sequel.

From reports that I have seen, Apple may be about to change its monitoring of EFI firmware in Intel Macs without T2 chips. With the imminent release of Monterey 12.3 on 18 March, it looks like eficheck has served its purpose, and may be transitioning out of its current role checking firmware installed. This doesn’t mean that Apple is leaving EFI firmware unsupported, merely that the watchful eye of the last four years is finally about to close.

Over that period, Apple has also rationalised EFI firmware versions. There was a time when every single model had its own firmware version, but a glance at the current situation shows that Intel Macs without T2 chips have largely converged on two different version numbers. It will take Apple several years before it can move on completely from EFI firmware, but that process is already well under way.

6Comments

Add yours

1

RobD on March 13, 2022 at 1:02 pm

Hi, Howard,

May I suggest that in next installment(s) you include a chapter on how to update Mac’s firmware, please? Your SilentKnight always tells me that I need to update my firmware, but I don’t know where to get it, how to tell which version to install and how to do that. Your instructions would be very welcomed.

LikeLiked by 1 person
- 2
  
  hoakley on March 13, 2022 at 6:19 pm
  
  Thank you. That’s actually explained above: since 2015, firmware updates have only been supplied as part of macOS updates or installers. The only way that you can update your firmware is to install an appropriate version of, or update to, macOS.
  If you want to run the latest firmware, then, you have a choice of three versions of macOS: Monterey, Big Sur, or Catalina. Any older version of macOS doesn’t get the firmware update, as it doesn’t get the macOS update.
  Howard.
  
  LikeLike
  - 3
    
    RobD on March 14, 2022 at 12:57 am
    
    Thank you, Howard. Unfortunately, the computer in question runs Mojave and will never be upgraded to a newer OS version. Bummer…
    
    LikeLiked by 1 person
    - 4
      
      hoakley on March 14, 2022 at 11:59 am
      
      Sorry.
      Howard.
      
      LikeLike
5

Paul Cooper on March 14, 2022 at 8:50 am

I have an iMac Retina 5K, 27-inch, Late 2015 and, using your tools (for the first time), I discovered that it has the latest firmware. Am I just lucky?

LikeLiked by 1 person
- 6
  
  hoakley on March 14, 2022 at 12:03 pm
  
  If you iMac17,1 has a standard Apple hard disk or Fusion Drive, then that’s normal. However, the top-of-the-range BTO systems with internal SSDs are the ones that often get stuck with an old version.
  Howard.
  
  LikeLike

Share this:

Related