Firmware has become complicated again

Before Intel Macs came with T2 chips, their EFI firmware was such a nightmare that macOS came with the eficheck service, that ran periodically to ensure a Mac’s firmware was reasonably up to date. Although EFI firmware updates came with each macOS update, some models built in specific configurations appeared unable to update their firmware, and fell years out of date. To get an idea of how complicated EFI firmware became, browse the last versions for Intel MacBook Pro models in my database on GitHub.

In 2017 the T2 chip changed this, and ever since all Macs with T2 chips kept up to date with a supported version of macOS have run the same firmware. When the first Apple silicon Macs arrived in 2020, the same rule applied, in that they all ran the same version of their iBoot firmware, as long as they were kept up to date with a supported version of macOS.

The first crack appeared in macOS Tahoe 26.4, when Apple unexpectedly changed firmware version numbering for Apple Silicon Macs, resulting in them updating from an iBoot version of 13822.81.10 to mBoot 18000.101.7, not that Apple has mentioned a word about this. As far as I can guess, it was to bring Mac and device firmware into the same numbering system. At least the matching security updates to 14.8.5 and 15.7.5 also switched to the new mBoot version, retaining some coherence.

Last night, the Tahoe security update to version 26.5.2 came with an mBoot firmware update, from 18000.120.36 in 26.5 to 18000.121.3 (there were no firmware updates in 26.5.1). Today’s problem arises from the fact that Apple didn’t release security updates for its other two supported macOS, Sonoma and Sequoia, just Safari updates. So as of this morning, Apple silicon Macs kept up to date with a supported version of macOS could have either:

  • mBoot 18000.120.36 if they’re still running Sonoma 14.8.7 or Sequoia 15.7.7, or
  • mBoot 18000.121.3 if they’re running Tahoe 26.5.2.

Add to those users who are running a beta-release of macOS 14, 15 or 26, who may have a different version again, and those beta-testing Golden Gate who may have yet another mBoot version.

As far as I’m aware, this is the first time in the last six years that large numbers of Macs will have firmware that is out of sync. I’m hoping that security updates to 14.8.8 and 15.7.8 might be released shortly to restore order, although the release of Safari updates suggests that Apple doesn’t intend doing that. For the time being, this is what you should expect to see in SilentKnight:

  • SilentKnight version 2.14 will simply report the mBoot version, 18000.120.36 for 14.8.7 and 15.7.7, or 18000.121.3 for 26.5.2.
  • SilentKnight version 3.01 will report those same versions as being “found”, while expecting 18000.120.36. I can’t set the version expected to that for 26.5.2 because that would then make 14.8.7 and 15.7.7 report their mBoot firmware as being out of date, although they don’t have any other option.

I suppose six years of simplicity and clarity in firmware versions was a good run, but it looks as if SilentKnight 3 is going to have to return to making complicated checks on firmware once more.