hoakley May 5, 2023 Macs, Technology

Is this the end for eficheck and non-T2 Intel Macs?

On 25 September 2017, when Apple released High Sierra, it came with a new tool that brought order and security to the EFI firmware in Macs: eficheck. A year ago I wrote that it looked as if that was on its way out: the time must now be fast approaching, as Apple prepares to reduce support for Intel Macs without T2 chips at WWDC in just over a month.

EFI firmware used in Intel Macs goes back to 1998, when Intel started work on its original Extensible Firmware Interface (EFI) as a replacement for the BIOS then used in PCs. When Apple began making the transition from PowerPCs in 2006, EFI was becoming Unified into UEFI, and was Apple’s chosen successor to the Open Firmware it had been using in PowerPCs since 1994.

Over the years, Apple extended the capability of its EFI firmware, to include support for startup key commands, originally termed snag keys, and support for Boot Camp. But the biggest threat to Mac firmware came in demonstrations of proof-of-concept attacks by two security researchers from LegbaCore, Xeno Kovah and Corey Kallenberg, in March 2015. Those were extended to Macs later that year by Kovah and Trammell Hudson in a firmware worm they named Thunderstrike 2. Apple responded quickly by changing the way that it delivered firmware updates, so they could only be installed as part of a system upgrade or update.

Two years later, Apple had more firmware problems on its hands, when Rich Smith and Pepijn Bruienne of Duo Labs revealed that many Macs were running old and outdated firmware, posing a serious security risk. By that time Apple had already hired Xeno Kovah and Corey Kallenberg, and Nikolaj Schlej the following year, to work alongside its MacEFI team and put Mac firmware in order. Every week or so since the release of High Sierra, their tool eficheck has checked current EFI firmware against a local database of versions known to be good, and (with the user’s permission) sends a report to Apple in the event that it finds discrepancies.

This changed again in late 2017 when Apple started building T2 chips into Intel Macs, and again with the first Apple silicon Macs three years later. As those use different firmware, eficheck doesn’t apply. That now leaves macOS Ventura supporting just seven versions of Intel Macs that don’t have T2 chips: three iMacs (iMac18,1, 18,3, 19,1), one MacBook (MacBook10,1), and three MacBook Pros (MacBookPro14,1, 14,2, and 14,3). With WWDC in just over a month, and the near-certain announcement of macOS 14, they’re the most likely models to lose support when that’s released in less than six months from now.

I’m sure that Apple will leave eficheck running in macOS 12 and 13 while they remain supported, so if you’re still using an Intel Mac without a T2 chip, it will continue to benefit from its weekly firmware check. But for those of us whose Macs are capable of running macOS 14, I suspect that eficheck will have finally gone, one way or another.

If you still want to run eficheck yourself, I believe that current problems reported earlier this week in Ventura may be a side-effect of changing security, and should be fixed before Apple puts Ventura into maintenance.

For almost six years, eficheck has been one of those hidden gems in macOS. It has been so effective that three years ago Microsoft introduced a similar mechanism into its Defender ATP. As WWDC draws near, let’s pour one out for eficheck and the engineers that secured our Macs’ firmware, as we move on to macOS 14.

9Comments

Add yours

1

frpsr on May 5, 2023 at 9:44 am
Reply

This is good , because seldom is a word I rarely use .

LikeLiked by 1 person
2

Raymond Horner on May 5, 2023 at 9:52 am
Reply

I have an iMac19,2 that doesn’t have an Apple T2 chip. Shouldn’t this be included in your list?

LikeLiked by 1 person
- 3
  
  hoakley on May 5, 2023 at 5:37 pm
  Reply
  
  I think as far as support is concerned, that’s a sub-variant of the 19,1. This gets even more complicated with MacBook Pros, of course.
  Howard.
  
  LikeLike
4

Anthony Reimer on May 5, 2023 at 5:14 pm
Reply

I doubt that support for non-T2 Macs will be reduced as you suggest before macOS 15 or perhaps even 16. Apple was selling 27-inch iMacs without a T2 until August 2020. These weren’t “long in the tooth” models like the Mac Pro 2013 or Mac mini 2014 that Apple stopped supporting in Ventura; they were released as new in March 2019. These models will still be in heavy use, particularly in Education. I would expect the 2017 iMac and MacBook models to no longer be supported in macOS 14, but I do expect the 2019 iMac to be supported for the current version of macOS for at least another year. It is true that Apple does sometimes make certain features only available to some hardware models, but that’s normally new features, not legacy ones. If Apple does pull support, there will be a bunch of us filing feedback rather promptly.

LikeLiked by 1 person
- 5
  
  hoakley on May 5, 2023 at 5:35 pm
  Reply
  
  Thank you.
  You state: “I would expect the 2017 iMac and MacBook models to no longer be supported in macOS 14”
  That’s exactly what I mean by “reduced support”, rather than dropping *all* support. Yes, I’d expect Apple to continue to support at least one variant of iMac without a T2 chip, and I think that will be largely determined by those educational users and which iMac variant(s) they are using.
  It’s commonly assumed that Apple makes these decisions entirely on the age of Mac, and when it was last sold. As Apple knows how many of each variant are still use, particularly among its large customers in education and enterprise, I think that’s a much greater determinant than trying to support any specific model for X years. And that’s what all the evidence points to.
  As to whether that continued support justifies keeping eficheck alive in macOS 14, I seriously doubt it. It has done its job well, but that’s now complete. I’ll be most surprised to see eficheck still included in macOS 14.
  Howard.
  
  LikeLike
6

Paul on May 8, 2023 at 12:17 pm
Reply

Howard,

I do think that support for the 2017 iMac 2015 Dual Core will continue at a minimum (if not for more non-T2 models) because Apple kept selling this until October 2021, even after the release of the M1 iMac, to target the educational market. I also still see a lot of 21.5 iMacs in commercial use, for example at medical offices, and given the likely lease lifecycle of 3-4 years, I suspect this will also be supported in MacOS 15 as well.

Thank you for running a very informative site.

Paul

LikeLiked by 1 person
- 7
  
  Paul on May 8, 2023 at 3:22 pm
  Reply
  
  Howard,
  
  My apologies for only noticing your nuance in hindsight – that it is eficheck that will not be supported. I would think that given non-T2 would have continued support, I would still be surprised if removing eficheck would be advantageous vs the increased security risk.
  
  Again, you have a brilliant site.
  
  Best regards,
  
  Paul
  
  LikeLiked by 1 person
  - 8
    
    hoakley on May 8, 2023 at 4:51 pm
    Reply
    
    I don’t think that there is any increased security risk, though: eficheck doesn’t verify that the firmware is the latest version. If there are only one or two supported models, running a weekly check on them has served its purpose now. They will be running at least their current firmware under Ventura, and may not even need an update for macOS 14.
    That’s a very different situation to that when High Sierra was released.
    Howard.
    
    LikeLike
- 9
  
  hoakley on May 8, 2023 at 4:47 pm
  Reply
  
  Thank you.
  I suspect that some at least of those non-T2 models will make it to macOS 14, although which is anyone’s guess at the moment. But support is dwindling fast now.
  Howard.
  
  LikeLike

Share this:

Like this:

Related