Mac Security: Securing and Working with Mac’s Firmware

Topic

New Reply

In this edition of Mac security, I want to talking about securing Mac firmware, as well as giving a rundown of Mac firmware in general.

Overview of Mac Firmware

Macs do not use a traditional BIOS as have some Windows PC’s. Instead, Intel Macs use EFI (Extensible Firmware Interface). Vintage PowerPC Macs use Open Firmware. Macs with a T2 security chip use bridgeOS (a variant of watchOS) to boot the Mac.

Updating a Mac’s Firmware

In the past, firmware updates from Macs were updated via standalone firmware updaters, either downloaded from support.apple.com or delivered through Software Update on the Mac which then launched the firmware update. Occasionally the update mechanisms on Macs (Mac App Store form pre-Mojave Macs and Software Update on Mojave Macs) specifically mention Mac firmware updates, but in general, Apple now bundles them into macOS updates, security updates, or supplemental updates. A good way to tell if Apple is installing a firmware update on a Mac is when the Mac reboots, shows an Apple logo and a huge, fast-moving progress bar underneath it. Occasionally, these updates will reset the Mac’s SMC and NVRAM (when it resets the NVRAM, you’ll either hear a double chime on Macs with a startup chime or see the Apple logo appear twice on Macs with a T2 security chip).

Setting a Firmware Password

To ensure someone cannot startup a Mac from an external drive, you can set a firmware password on the Mac. This makes it more difficult for someone to swap out or format the drive on a Mac running Find my Mac. Instructions are easy to set this up, and they are available here. Before resetting a Mac’s NVRAM or parting with a Mac, it is a good idea to disable the firmware password, although I recommend keeping it enabled the rest of the time.

Macs with a T2 security chip also offer the ability to enable or disable Secure Boot (instructions available here). Full Security offers the highest level of security by verifying the integrity of the operating system, Medium Security offers a level of security that checks to ensure the operating system is properly signed. No Security is the traditional boot process used by Macs before the implementation of the T2 security chip. You can also allow or disallow booting a Mac from external media.

Keystrokes to Use for Special Mac Boot Processes

Apple has published an article about keystrokes to use for special Mac boot processes. Here’s a rundown of the most important ones you need to know:

Command+R: Macs running Lion or later include a built-in recovery partition you can boot from to perform additional troubleshooting tips on.

Option-Command-R or Shift-Option-Command-R: Boots into a Mac’s Internet recovery. It works similar to the recovery partition, but instead, the recovery partition is pulled over the Internet from Apple’s servers. This is generally helpful if the recovery partition has been wiped out or won’t boot. In the past, this booted to the oldest version of macOS available for the Mac. Now, it generally boots for the highest installed version for the Mac.

Option: Allows a Mac to boot up from an external hard drive or Boot Camp partition (for Macs with a Boot Camp Windows partition). Vintage PowerPC Macs can only boot from a Firewire drive formatted as HFS+ with Apple Partition Map. Intel macMacsn boot from a Firewire, USB, or Thunderbolt drive formatted as HFS+ or Apple File System (High Sierra or Later) with GUID Partition Map.

Bonus: If you need to access an HFS+ or Apple File System drive on a Windows PC, check out these products from Paragon for HFS+ for Windows and Apple File System for Windows. Macs that need to write to NFTS drives on Windows should also check out Paragon’s NTFS for Mac.

Shift: Allows a Mac to boot up in Safe Mode.

D: Allows a Mac to boot up using Apple Hardware Test or Apple Diagnostics (depending on the Mac model), which is hardware testing for Macs (Macs that need more extensive hardware testing can check out Micromat products such as TechTool Pro).

C: Allows a Mac to boot up from a live Mac OS X DVD, generally on pre-Lion Macs before recovery partitions.

X: Allows a Mac to quickly return to the macOS partition on a Mac with a Boot Camp Windows partition.

Command+S: Allows a Mac to boot up in Single User Mode.

T: Allows a Mac to boot up in Target Disk Mode. Vintage PowerPC Macs require Firewire. Some Intel Macs require Firewire or Thunderbolt. Only USB-C is the variant of USB that works with Target Disk Mode.

Nathan Parker

3 users thanked author for this post.

OscarCP, Myst, DrBonzo

Reply | Quote

Replies

I really like this series of articles you’ve been writing. They’ve been very helpful as I learn the nuts and bolts of the Mac hardware and operating system. Thanks.

2 users thanked author for this post.

OscarCP, Myst

Reply | Quote

Glad to assist!

Nathan Parker

Reply | Quote

Umm…I’ve got a 2011 MacPro I used at work for a few months until it wasn’t suitable (don’t ask) and I parked it several years ago. It’s still in the basket, and I’m wondering if there is anything useful about it in re the upcoming WinPocalypse.

Yes, I know that is not the subject of this thread, but I ran across it and am hoping that at least a/any pointer can help me decide what to do with it.

Any and all ideas are acceptable.

jimzdoats

jimzdoats

Reply | Quote

Jim VS wrote:

Umm…I’ve got a 2011 MacPro I used at work for a few months until it wasn’t suitable (don’t ask) and I parked it several years ago. It’s still in the basket, and I’m wondering if there is anything useful about it in re the upcoming WinPocalypse. jimzdoats

I still have a 2011 iMac that boots up and runs well. Mine is capped at High Sierra since it doesn’t have a Metal-compatible graphics card, but if yours is a Mac Pro tower, you may even be able to insert a Metal-compatible graphics card in it and upgrade to Mojave.

Even if you’re stuck on High Sierra as the latest OS, it’s still extremely capable and can run just about anything.

My original goal was to use the iMac as a complete secondary backup machine to my iMac Pro, but trying to keep both machine’s apps up to date and all my data in sync between the two is difficult, and my iMac Pro is a world of difference more powerful than the iMac.

Therefore, I’ve pivoted to instead working to get my older iMac to do more specific tasks:

1. Since it has a gorgeous HD screen on it (but not Retina), I bookmarked all my TV streaming sites on it, so I can use it to watch a little TV while I’m working. Since I’m in my office for a long time and seldom watch TV in my living room, I thought about putting a smaller HD TV in my office to watch while I’m working, then I realized I have a beautiful 21″ HD TV with great sound and an aluminum chassis. All I have to do is pull up my streaming services, and I’m set.

2. I’m installing critical work/school apps on the old iMac (especially apps I use to teach live webinars for work or apps that allow me to access my online school classes), so in the event of an issue with the iMac Pro, my iMac would still be an instant backup for critical, time-sensitive work, even without having to run everything on it.

3. I’m installing some apps on it I may frequently use that I could use a “second monitor” for, and run those on the iMac when I’m working heavily on my iMac Pro. There’s some weather apps I use at work where it’d be better to run one weather app on one screen and the other on another, and since I don’t have a dual-monitor setup, the dual-computer setup is the next best thing.

4. I’m installing some Mac troubleshooting tools on it, including an app that would allow me to reset the T2 security chip in my iMac Pro in the event it ever mucked up the booting process.

5. Other uses for old Macs are: file sharing servers; Macs can run Windows, so if you need to run Windows on Mac hardware, you can; High Sierra still can run 32 Bit apps (Mojave will be the last to run them), so if there are any legacy 32 Bit apps you just can’t part with, that machine can run them; and having the High Sierra Mac on standby is handy for troubleshooting for AskWoody.

Nathan Parker

Reply | Quote