Apple - How can the average user easily validate the integrity of their Mac's firmware?

The title of “how can an average user” is a bit of a danger zone, since I don’t consider anyone that uses Terminal average - not passing judgement, just that the audience here is way above average to even know they should validate firmware. Hopefully I’m not sounding too pretentious with this short summary of what I think the average mac user should do:

The macOS installer updates firmware when you install / reinstall the OS, so simply booting to recovery and reinstalling the current version of macOS, you will not lose any programs, settings, data and get a chance to ensure your firmware is up to date. Even if you installed the OS several months ago - if newer firmware is around when the installer checks while getting ready to install, you’ll get that update as part of the exercise.


If you’re not able or willing to just run an install, then it becomes much more tricky to report / validate you’re really up to date. I suppose it depends on why you think you didn’t get the updates as part of the normal upgrade / update process. Since there’s no general check on all the firmware, I would say the average user cannot validate firmware and even exceptional users are having difficulty performing the level of analysis required. Average users struggle with the difference between authentication and authorization. Expert users find it tedious to verify checksums and cryptographic chains of trust and human nature is we don't do those activities well, even in well engineered, well motivated, well supported environments.

I would open a support ticket with Apple for each instance where I wanted to verify firmware and participate in the official Apple Security Notifications mailing list so you're in the loop when things change.

I'm sorry if this isn't the answer you wanted, but I also felt this was my small entry into an answer to everyone that sees your question and wonders how to start on learning. As more users ask apple for support, eventually knowledge base articles will be written. At some tipping point, funding would be added and the problem would be engineered to match the user education levels. We're just in the early days from where I see things.


To check the firmware of an Intel UEFI system, such as a Mactel, boot Intel LUV (Linux UEFI Validation) distro, luv-live, run Intel CHIPSEC. It'll check for most of the publicly-known firmware vulnerabilities. You should run CHIPSEC when you first get your box, save the ROM, then occasionally re-run CHIPSEC and compare the ROMs for changes. You can use UEFItool, CHIPSEC, or UEFI-Firmware-Parser, or a handful of other tools to a forensic examination of the ROM.

For some more information about the topic and the tools involved, see my slides for a presentation I gave recently.