Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

What EFI validation is available?

S

Scott_2718

macrumors newbie
Original poster
May 19, 2020
6
2
Having recently purchased a used Mac mini, I wanted to return everything to a known quantity. Since there was no OS, that part was easy: I installed High Sierra. I then ran diagnostics, which all passed.

One bit that is not a known quantity is the EFI. Is there any check performed to validate the EFI when the system boots or the OS is installed? Something like an SHA or MD5 message digest of the image? I did not think to check the EFI version before I installed High Sierra, so I have no idea if it was updated during the install. Might the EFI be updated by upgrading to Catalina?

The system is a late 2012 Mac mini Server.
Diagnostics says:
Boot ROM Version = MM61.88Z.010E.B00.1804111136
SMC Version = 2.8f1

System Information says:
Boot ROM Version: 283.0.0
SMC Version (system): 2.8f1

Is there anything I can do to validate the EFI? I've worked in software development long enough to be paranoid about what is possible with malware.

Thanks,
Scott
 
Time to take it out and smash it then, if you are that paranoid. Any malware that has survived a re-install of the os is not going to be found. The cracker would be smart enough to have it survive the install but stupid enough to let you simply find it, I don't think so...

Edit: Seeing this thread by tsialex reminded me of his work editing the rom's of various macpros. You can always see if you can find the boot rom from apple and dump yours then take a hex reader and compare the two for any changes that could have been made..

forums.macrumors.com

MP5,1: BootROM thread | 144.0.0.0.0

For MacPro5,1 BootROM upgrades, please read the first post of the thread below to know how to do the firmware upgrade: https://forums.macrumors.com/threads/mp5-1-what-you-have-to-do-to-upgrade-to-mojave-bootrom-upgrade-instructions-thread.2142418/ For MP4,1 to MP5,1 cross firmware flashing...
forums.macrumors.com forums.macrumors.com
 
Last edited:
I'd say it's likely that an upgrade to Catalina would also update the Boot ROM. But I don't think that there's any way to easily validate EFI on the 2012 Mini since it doesn't have a T2 chip. Take a look at the relevant section of the Apple Platform Security Guide, which explains how secure boot happens with the T2 and describes the boot process without it:

"Mac computers without an Apple T2 Security Chip don’t support secure boot. Therefore the UEFI firmware loads the macOS booter (boot.efi) from the filesystem without verification, and the booter loads the kernel (prelinkedkernel) from the filesystem without verification."
 
This article from September of 2017 explains that there is EFI malware, that the update process is not transparent to the user and has been found to be lax in some cases (EFI not being updated when it should).
duo.com

The Apple of Your EFI: Mac Firmware Security Research

The security research team at Duo known as Duo Labs has published a research paper on Apple’s EFI firmware security - learn more about their findings and recommendations, including a link to security tools developed to mitigate the risk. Get the full technical paper here.
duo.com duo.com

This article from October of 2019 shows what EFI versions are considered current, and how to check the EFI integrity using the eficheck utility.
eclecticlight.co

Which EFI firmware should your Mac be using? (version 4)

macOS 10.15 Catalina brings EFI firmware updates for all supported models, and subsequent updates have changed those for most models too. This article lists the firmware versions of Macs which have…
eclecticlight.co eclecticlight.co

The eficheck utility compares the generated hashes of the installed EFI against the matching hashes stored in a bundle of such files making up an allowed list.

The eficheck utility also has an option to create a file containing the generated hashes of the installed EFI, but I don't know of any published hashes, other than the aforementioned allowed list, to compare against the results, so there may be no value to the end user.
 
Last edited:
Interesting, I had never heard of eficheck. I did a little digging and it looks like it was new as of High Sierra. Looks cool but like you said, without hashes to compare there's no way to do the validation yourself. My guess is that they intended this process to locate devices with old firmware. It does run automatically once a week, but even if it finds something it's not made clear to the user what happened. Now if they only made it possible to actually download the firmware through the tool......
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back