The most worrying feature of the current AI ‘revolution’ is how heavily it’s being promoted by everyone from vibe coders to governments. The best and most enduring revolutions are quiet, and bring change because they’re so compelling. If something new has to be heavily evangelised, look deeply inside it to discover why, and who stands to gain most from that snake-oil.

In the case of Mac firmware, change has been so underplayed that you might not have realised what has happened over the last decade. But Macs have gone from impending disaster in Thunderstrike 2 with many running old firmware known to be vulnerable, to Secure Boot and thoroughly reliable updates.

In 2015 Trammell Hudson, Xeno Kovah and Corey Kallenberg demonstrated a firmware worm they named Thunderstrike 2 that could have been abused to insert malware in boot flash storage in Macs. Had that been exploited it would have been disastrous. Apple acted quickly by hiring Kovah and Kallenberg, and a third firmware security researcher Nikolaj Schlej, but shortly after that Rich Smith and Pepijn Bruienne, then of Duo Labs, reported that many Macs were running outdated firmware. When Apple addressed Thunderstrike 2 it could thus have taken a year or more before most Macs would have been protected.

While Kovah, Kallenberg and Schlej were busy securing firmware, and developing eficheck to routinely screen it in every Mac each week, several of us were trying to work out how to maintain a list of current firmware versions for users to check their Macs against. The answer came in eficheck, which obligingly informed us of those it accepted, and we then discovered how to extract firmware update information from macOS updates, for which I’m eternally grateful to Pico for doing the work. From 4 October 2017 those version lists have been published on this blog.

Two years later, in July 2019, firmware version checking was automated in EFIcienC, the precursor to SilentKnight, and became one of the pillars of checking that your Mac was secure.

In my latest revision of that guidance I was at last able to write that firmware “no longer needs to be checked separately” from macOS. My latest list of firmware versions for macOS 26 Tahoe contains just two, compared with over 39 given for High Sierra. The concern of dozens of articles here over those ten years, firmware and its updating can now be trusted, as Macs have moved from EFI to iBridge (T2) and iBoot (Apple silicon), with modern macOS updaters that install firmware reliably. Well, almost every time.

While Apple implies this in its Platform Security Guide, this remains a quiet revolution that didn’t mean anything to marketing, nor was there any mention in a press release. Neither do Apple’s support notes explain how it makes Apple silicon Macs the first to run the firmware matched with their macOS, and to be fully downgradable using IPSW image files.

This journey hasn’t been smooth, and many will still remember models such as the iMac Retina 5K 27-inch Late 2015 (iMac17,1), which in certain configurations simply wouldn’t update its firmware. We discovered that some other Macs updated reliably until their internal storage was replaced. In the end it was the introduction of the T2 chip that made the big difference, bringing the same EFI and iBridge versions across the whole range of Macs.

Compare this with UEFI Secure Boot, an option that Apple wisely decided not to pursue. One recent vulnerability that could have allowed an attacker to deploy malicious bootkits in systems with Secure Boot enabled was reported by ESET in June 2024, but that vulnerable firmware wasn’t revoked by Microsoft until 14 January 2025. Another recent UEFI vulnerability affecting multiple models of Framework computers, BombShell, allows bypass of their Secure Boot, requiring firmware updates that are still being rolled out.

Sometimes we need to look back to see how far we have come.

Some who use SilentKnight for the first time discover that their Mac has been running for months with one of its security systems disabled. As macOS doesn’t have a dashboard to warn you of such dangerous settings, you may not notice until it’s too late. This article explains how to check those essential security settings on Macs with T2 or Apple silicon chips, and how to put them right. Intel Macs without T2 chips are different, and are covered in a previous version.

Secure Boot

Running your Mac in Full Security ensures it gets full protection from its Secure Boot technology. In an Apple silicon Mac this prevents it from loading third-party kernel extensions, and requires recent approved versions of macOS. Check this in System Information by selecting the Controller item in its Hardware section, or in SilentKnight.

This is controlled in Startup Security Utility, accessed from Recovery. Note that it only works with the paired Recovery system, the one you normally use; Apple silicon fallback Recovery doesn’t have this ability.

If you need to run kernel extensions or other software that can’t be loaded in Full Security, use Startup Security Utility to set the Mac to Reduced Security, and enable kexts. Avoid doing this if at all possible.

Settings are different for Intel Macs with T2 chips, where there are three levels of boot security, and the most common reason for reduction from Full Security is to enable that Mac to boot from external drives, something that Apple silicon Macs can do in Full Security.

System Integrity Protection (SIP)

Since El Capitan, macOS has protected all its system files, even down to bundled apps, using System Integrity Protection. This should make it impossible for malware or other software to change those protected files. SIP is also required for a wide range of other security protection, and should be fully enabled unless you have a compelling reason for disabling it partially or completely. In Apple silicon Macs, its status is reported in System Information’s Controller item, but Intel Macs instead give it in the Software section. It’s also checked by SilentKnight and Skint.

You can turn SIP off, something very occasionally needed to perform certain essential tasks. Doing so requires you to start up in Recovery mode, enter a command in Terminal there, and restart; Apple silicon Macs also need to have their boot security reduced in Startup Security Utility before SIP can be disabled.

To enable SIP, start up in Recovery mode, open Terminal, and type the following command:
csrutil enable; reboot
Once that’s done your Mac will restart in normal mode, and you should confirm that SIP is reported as enabled.

If you ever do need to disable SIP, do yourself a favour and put a sticky note on your Mac’s display to remind you to turn it back on.

Gatekeeper/XProtect

Gatekeeper runs checks on apps when they’re opened, and those can include scans for known malicious software using XProtect. As part of your Mac’s frontline protection against malware, you should leave those enabled unless there’s a compelling reason to temporarily disable them. However, I don’t know of anywhere in the macOS GUI that informs you whether these checks are being performed, although they are reported by SilentKnight and Skint.

If it has been disabled, you may be able to enable it using the command
spctl --enable
but chances are that you will instead need to invoke
sudo spctl --global-enable
requiring you to authenticate using your admin password. Be careful with those commands: the hyphens before enable and global-enable aren’t long dashes, but two separate hyphens.

Signed System Volume (SSV)

When you install Big Sur or later, the vast majority of its system files are saved in its System volume. For your Mac to boot from this, it has to be turned into a snapshot, sealed using a tree of cryptographic hashes, and the master seal ‘signed’ by a hash, which is compared against that set by Apple. This signed system volume is extremely secure and thoroughly reliable. On Intel Macs, this is only reported in Disk Utility, but Apple silicon Macs list it in System Information as well. It’s also reported by SilentKnight and Skint.

The SSV should always be enabled. If it isn’t, you’ll need to re-install macOS.

FileVault

Intel Macs with T2 chips and Apple silicon Macs encrypt the whole of the Data volume on their internal SSD. By default, that uses an internally-generated key that’s used automatically when any user logs in. Although it provides good security in most situations, you’re far better off enabling FileVault, as that protects the encryption key with your password as well. This imposes no overhead on accessing encrypted data, and provides valuable protection for your data at no cost.

Check whether FileVault is enabled in Privacy & Security settings, where you can enable it if it’s not already turned on. SilentKnight checks it as well.

macOS and firmware

To ensure your Mac and its apps are best protected from malware, keep its firmware and macOS up to date. As those are updated together, Macs with T2 or Apple silicon chips that are running the most recent release of their major version of macOS will also be running the current firmware, which no longer needs to be checked separately. Check the version of macOS in the About This Mac command at the top of the Apple menu.

Apple lists current supported versions of macOS on its Security Releases page. Those, and versions of security data software, are also listed and detailed here on this page.

If your Mac is running an older release of macOS and its firmware, update them together using Software Update in General settings.

XProtect Remediator scans

This anti-malware scanner performs automatic background scans to detect and remove a wide range of malicious software. It’s normally scheduled to run at least once a day, when your Mac is awake but not busy, and supplied with mains power. You’re wise to check that its scans are being run correctly, and will probably want to know if it has detected and remediated any malware. SilentKnight and Skint run a quick check of its activity over the previous 36 hours, and XProCheck provides detailed reporting and analysis.

Over the last year or so, XProtect Remediator has been using a timer during its scans, and automatically cancelling them if a scan takes longer than allowed. On many Macs, most scans are terminated early, and that results in warnings from SilentKnight and Skint. If you’re concerned, check the reports in XProCheck, where you’ll see that plugin was cancelled with a status_code of 30, as is typical with the timer.

Check:

• the Mac boots in Full Security, if possible,
• SIP is enabled,
• Gatekeeper/XProtect is enabled,
• it has booted from an SSV,
• FileVault is enabled,
• it’s up to date with macOS,
• XProtect Remediator scans are taking place daily.

SilentKnight does all of those and more.