Apple runs weekly efi check in High Sierra

The new 10.13 version of macOS, High Sierra, includes a tool that checks the efi firmware on a weekly basis. If an anomaly is detected, the tool warns the user that something is wrong.

The tool’s existence was previously revealed in a beta version of macOS, but according to Apple developer Xeno Kovah is now sitting the final version in High Sierra. The tool is called eficheck and compares the firmware of a system with copies that are known to be free of defects. Kovah described the tool in a series of tweets, which have since been deleted.

He explained that the tool had to meet the requirements of the Privacy Department, which means that it cannot “just collect all the firmware for analysis.” It also appeared that there was no easy way to compare the collected data with different efi binaries, as no database of all published copies existed.

The tool can alert users if it finds a problem with the efi firmware. Then they can send a report to Apple. Kovah writes that users with a Hackintosh, a Mac system that runs on custom hardware, do not have to send data, because this only produces ‘garbage data’. According to the site The Eclectic Light Company, which published a message based on the tweets, the choice is remembered.

Kovah developed the tool together with Corey Kallenberg, with whom he founded the security company Legbacore, which was acquired by Apple. They were both involved in the discovery of the Thunderstrike 2 attack, Heise said. This attack was exploited by a firmware worm that spread through Thunderbolt adapters.

The warning in question