macOS High Sierra Automatically Performs Security Check on EFI Firmware Each Week

Monday September 25, 2017 8:14 AM PDT by Joe Rossignol
Mac users who upgrade to macOS High Sierra will benefit from a significant new security feature that works in the background.


macOS High Sierra automatically checks a Mac's EFI firmware against Apple's database of "known good" data to ensure it hasn't been tampered with, according to a series of tweets from an Apple engineer.

The tweets have since been deleted, but a summary remains available on the Mac blog The Eclectic Light Company.
The new utility eficheck, located in /usr/libexec/firmwarecheckers/eficheck, runs automatically once a week. It checks that Mac's firmware against Apple's database of what is known to be good. If it passes, you will see nothing of this, but if there are discrepancies, you will be invited to send a report to Apple.
If the check fails, a prompt will appear with options to "Send to Apple" or "Don't Send." The selection is remembered in subsequent weeks.


The "eficheck" tool sends the binary data from the EFI firmware, and preserves user privacy by excluding data which is stored in NVRAM, according to The Eclectic Light Company. Apple will then be able to analyze the data to determine whether it has been altered by malware or anything else.

The database's library will be automatically and silently updated so long as security updates are turned on.

EFI, which stands for Extensible Firmware Interface, bridges a Mac's hardware, firmware, and operating system together to enable it to go from power-on to booting macOS.

macOS High Sierra will be publicly released on the Mac App Store later today.

Related Roundup: macOS High Sierra
Tags: security, EFI
69 comments


Top Rated Comments

(View all)
Avatar
jsalda
8 months ago
Huh, I wonder what this will mean for Hackintosh?
Rating: 14 Votes
Avatar
gpat
8 months ago

Huh, I wonder what this will mean for Hackintosh?


Probably nothing at all.
Will just make actual Macs more secure.
Rating: 8 Votes
Avatar
craig1410
8 months ago
This is great news as it should help to guard against any sort of tampering which might result through a bad actor having temporary physical access to a machine such as at a border security point.

I honestly don't believe that Hackintoshes are being targeted here but if increasing legitimate Mac security results in Hackintoshes having a few bumps in the road then so be it IMO.
Rating: 7 Votes
Avatar
jblagden
8 months ago

('//www.macrumors.com/2017/09/25/macos-high-sierra-weekly-efi-security-check/')


Mac users who upgrade to macOS High Sierra will benefit from a significant new security feature that works in the background.



macOS High Sierra automatically checks a Mac's EFI firmware against Apple's database of "known good" data to ensure it hasn't been tampered with, according to a series of tweets from an Apple engineer.

The tweets have since been deleted, but a summary remains available on the Mac blog The Eclectic Light Company ('https://eclecticlight.co/2017/09/24/high-sierra-automatically-checks-efi-firmware-each-week/').If the check fails, a prompt will appear with options to "Send to Apple" or "Don't Send." The selection is remembered in subsequent weeks.



The "eficheck" tool sends the binary data from the EFI firmware, and preserves user privacy by excluding data which is stored in NVRAM, according to The Eclectic Light Company. Apple will then be able to analyze the data to determine whether it has been altered by malware or anything else.

The database's library will be automatically and silently updated so long as security updates are turned on.

macOS High Sierra will be publicly released on the Mac App Store later today.

Article Link: macOS High Sierra Automatically Performs Security Check on EFI Firmware Each Week ('//www.macrumors.com/2017/09/25/macos-high-sierra-weekly-efi-security-check/')

This sounds like a way to get rid of Hackintoshes.
Rating: 6 Votes
Avatar
Cougarcat
8 months ago

This sounds like a way to get rid of Hackintoshes.

Huh, I wonder what this will mean for Hackintosh?


This doesn’t affect hackintoshes. HS is working on them just fine. (The Apple employee who posted the original tweets even said don’t send in your data if you’re on a hack, because it’s useless to them.)
Rating: 6 Votes
Avatar
Onexy
8 months ago
Spoken like a government. This is probably not to fight malware but to fight hackintoshs.
Rating: 6 Votes
Avatar
DolsJ
8 months ago

This wouldn't have any impact on the reverse, would it? I decided to throw out the Snow Leopard partition on my 2006 Mac Mini and replace it with a current version of Lubuntu, since increasingly little software still supports Snow Leopard and I was worried my Mac Mini was vulnerable having gone so long without a security update.

I guess obviously not. If macOS isn't on the computer, then this efi firmware check would be gone, right? Or is it somewhere below what the Lubuntu installer would have noticed (like, is it in the efi itself? IDK. We're just beyond the realm of stuff I understand now.)


This check is being executed at the OS layer. So if you are not running Mac OS (specifically High Sierra) then the check would never be run.
Rating: 4 Votes
Avatar
GhostRaider
8 months ago
Huh? That’s unexpected. Someone from the Hackintosh community needs to check this out. Very concerning.
Rating: 4 Votes
Avatar
brendu
8 months ago


I honestly don't believe that Hackintoshes are being targeted here but if increasing legitimate Mac security results in Hackintoshes having a few bumps in the road then so be it IMO.


As a recent hackintosh builder I agree. Apple needs to ensure its users have the most secure devices possible. If that means I have to do some workarounds or stay on Sierra I am fine with it.
Rating: 3 Votes
Avatar
nt5672
8 months ago
This has been needed for a long time. The real question is when Apple will change from reporting to refusing. This is when it goes too far. As to hackintoshes, my guess is that they have security updates turned off anyway and so at least for now, will not apply.
Rating: 3 Votes
[ Read All Comments ]