7.8 Extensible Firmware Interface (EFI) password

Information

EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, it also determines whether the user can enter single-user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode and protection against firewire DMA attacks. In the past it was not difficult to reset the firmware password by removing RAM but it did make tampering slightly harder and having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to Manage the firmware password on macOS computers, though some tools did make it much easier.

Apple patched OS X in 10.7 to mitigate the DMA attacks and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses Single User Mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.

Starting in Late 2010 with the MacBook Air Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.

Setting the firmware password may be good practice in some environments. We cannot recommend it as a standard security practice at this time.

http://support.apple.com/kb/ts3554

https://jamfnation.jamfsoftware.com/article.html?id=58

http://derflounder.wordpress.com/2012/02/05/protecting-yourself-against-firewire-dma-attacks-on-10-7-x/

http://derflounder.wordpress.com/2013/04/26/booting-into-single-user-mode-on-a-filevault-2-encrypted-mac/

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

None

See Also

https://workbench.cisecurity.org/files/3013

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, CSCv7|2

Plugin: Unix

Control ID: c71c4aade2306c2e37c3fbc380cb05218b1c167713101e4681649772b4e35e4e