Detections
Analytics

2.9 Ensure Legacy EFI Is Valid and Updating - integrity-check

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

In order to mitigate firmware attacks, Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days.

This check is only valid on T1 chips and prior. Neither T2 chips nor Apple silicon require this control check

Rationale:

If the Firmware of a computer has been compromised, the Operating System that the Firmware loads cannot be trusted, either.

Solution

If EFI does not pass the integrity check, you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended.

Additional Information:

EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, and it also determines whether the user can enter single user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode, and protection against firewire DMA attacks. While it was easier in the past to reset the firmware password by removing RAM, it did make tampering slightly harder because having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to manage the firmware password on macOS computers, though some tools did make it much easier.

The EFI password management capability has been replaced in new Apple silicon Macs. The security features are replaced in the Silicon Mac recoveryOS. Long-term it appears that macOS EFI management is a deprecated technology in mixed Intel/Apple Silicon environments.

Apple patched OS X in 10.7 to mitigate the DMA attacks, and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses single user mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.

Starting in late 2010 with the MacBook Air, Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.

Setting the firmware password may be a good practice in some environments. We cannot recommend it as a standard security practice at this time.

See Also

https://workbench.cisecurity.org/files/4000

Item Details

References: CSCv7|2.2

Plugin: Unix

Control ID: 432d510165de465dc37b9b3a1eac61872db558a92c956e35d262fe8949fbc1b2