eficheck does not work on Macs with T2 chips
Originator: | 0xmachos | ||
Number: | rdar://42910459 | Date Originated: | 03/08/2018 |
Status: | Closed | Resolved: | |
Product: | macOS + SDK | Product Version: | 10.13.6 |
Classification: | Reproducible: | Yes |
Area: Something not on this list Summary: The eficheck utility does not work on Macs equipped with T2 chips. Steps to Reproduce: 1. /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check Expected Results: eficheck reports the EFI firmware version and whether or not the version is on the allowlist and if the hashes have changed or not. Actual Results: $ /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check ReadBinaryFromKernel: No matching services found. Either this system is not supported by eficheck, or you need to re-load the kext IntegrityCheck: couldn't get EFI contents from kext Version/Build: System Software Overview: System Version: macOS 10.13.6 (17G2208) Kernel Version: Darwin 17.7.0 Boot Volume: *** Boot Mode: Normal Computer Name: *** User Name: *** Secure Virtual Memory: Enabled System Integrity Protection: Enabled Time since boot: *** Configuration: Model Name: MacBook Pro Model Identifier: MacBookPro15,2 Processor Name: Intel Core i7 Processor Speed: 2.7 GHz Number of Processors: 1 Total Number of Cores: 4 L2 Cache (per Core): 256 KB L3 Cache: 8 MB Memory: 16 GB Boot ROM Version: 15.16.6703.0.0,0 Serial Number (system): *** Hardware UUID: ***
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Consider Reopening
With the recent attacks against the T2 chip (using Checkm8 via Checkra1n to shell the T2), it would be nice if Apple reconsidered a userland option for verifying the integrity of these components.
Closed with the following comment
Regarding this: said “My request is that there should be some way to verify the integrity of EFI from userland on Macs with T2 chips.”
The architecture for T2 systems is such that there is much less value in attempting to make eficheck work with it, and thus enhancements are not currently on our plans.
We are closing this bug report.