On 25 September 2017, when Apple released High Sierra, it came with a new tool that brought order and security to the EFI firmware in Macs:
eficheck. A year ago I wrote that it looked as if that was on its way out: the time must now be fast approaching, as Apple prepares to reduce support for Intel Macs without T2 chips at WWDC in just over a month.
EFI firmware used in Intel Macs goes back to 1998, when Intel started work on its original Extensible Firmware Interface (EFI) as a replacement for the BIOS then used in PCs. When Apple began making the transition from PowerPCs in 2006, EFI was becoming Unified into UEFI, and was Apple’s chosen successor to the Open Firmware it had been using in PowerPCs since 1994.
Over the years, Apple extended the capability of its EFI firmware, to include support for startup key commands, originally termed snag keys, and support for Boot Camp. But the biggest threat to Mac firmware came in demonstrations of proof-of-concept attacks by two security researchers from LegbaCore, Xeno Kovah and Corey Kallenberg, in March 2015. Those were extended to Macs later that year by Kovah and Trammell Hudson in a firmware worm they named Thunderstrike 2. Apple responded quickly by changing the way that it delivered firmware updates, so they could only be installed as part of a system upgrade or update.
Two years later, Apple had more firmware problems on its hands, when Rich Smith and Pepijn Bruienne of Duo Labs revealed that many Macs were running old and outdated firmware, posing a serious security risk. By that time Apple had already hired Xeno Kovah and Corey Kallenberg, and Nikolaj Schlej the following year, to work alongside its MacEFI team and put Mac firmware in order. Every week or so since the release of High Sierra, their tool
eficheck has checked current EFI firmware against a local database of versions known to be good, and (with the user’s permission) sends a report to Apple in the event that it finds discrepancies.
This changed again in late 2017 when Apple started building T2 chips into Intel Macs, and again with the first Apple silicon Macs three years later. As those use different firmware,
eficheck doesn’t apply. That now leaves macOS Ventura supporting just seven versions of Intel Macs that don’t have T2 chips: three iMacs (iMac18,1, 18,3, 19,1), one MacBook (MacBook10,1), and three MacBook Pros (MacBookPro14,1, 14,2, and 14,3). With WWDC in just over a month, and the near-certain announcement of macOS 14, they’re the most likely models to lose support when that’s released in less than six months from now.
I’m sure that Apple will leave
eficheck running in macOS 12 and 13 while they remain supported, so if you’re still using an Intel Mac without a T2 chip, it will continue to benefit from its weekly firmware check. But for those of us whose Macs are capable of running macOS 14, I suspect that
eficheck will have finally gone, one way or another.
If you still want to run
eficheck yourself, I believe that current problems reported earlier this week in Ventura may be a side-effect of changing security, and should be fixed before Apple puts Ventura into maintenance.
For almost six years,
eficheck has been one of those hidden gems in macOS. It has been so effective that three years ago Microsoft introduced a similar mechanism into its Defender ATP. As WWDC draws near, let’s pour one out for
eficheck and the engineers that secured our Macs’ firmware, as we move on to macOS 14.