With careful observation and a little knowledge of the startup sequence of an Apple silicon Mac, you can learn a lot about what can and can’t happen during that sequence. This article explains how, with examples from the log of a Mac mini M4 Pro.

In broad terms, startup of an Apple silicon Mac consists of the following sequence of events:

• Boot ROM, which ends in DFU mode if there’s a problem, otherwise it hands on to
• the Low-Level Bootloader (LLB) and iBoot (Stage 2), the firmware, that should end in validating and running
• the kernel, which initially runs on a single CPU core before starting others up and launching launchd, and later
• unlocking and accessing the Data volume, and progressing to
• userspace.

The opening entry in the log is the boot announcement of
=== system boot:
followed by the boot UUID. There’s then a gap of 5 seconds or more before the next entry, which marks the start of kernel boot. Those seconds are the silent phase during which the LLB and iBoot are doing their thing. They don’t write to the Unified log, but leave fragments of cryptic information known as breadcrumbs, which you can’t make use of. The kernel then writes its usual welcome of
kprintf initialized
and the following four seconds or so are filled by log entries from the kernel.

Wallclock adjustment

During this phase, the system clock is synchronised, and wallclock time adjusted, usually twice in rapid succession. This is obvious by step changes in timestamp, usually putting the clock back by several seconds in the first sync, then putting it forward slightly in the second. These play havoc with the timestamps, as you can have two or even more instances of the same time being recorded in the log. Beware of the entries
=== system wallclock time adjusted

Early during the kernel phase, it starts up all the other CPU cores in the chip, and records that in the log. Entries become progressively more varied after launchd is loaded, and this first userspace boot (without Data volume access).

Data volume unlock

With FileVault enabled, by this stage macOS still doesn’t have access to the Data volume. That means all the code run so far, and almost all the data, are immutable, locked in the firmware or the Signed System Volume (SSV). The firmware does access LocalPolicy from another container in the internal SSD, and there’s always the NVRAM, but there’s no access to anything in /Library, including the many property lists there. This also means that processes running before the Data volume is unlocked and mounted can’t write to storage.

Around 10-15 seconds after the start of booting, the login window is displayed, ready for the user to enter their password. Once that has been entered, there’s a watershed moment:
30.845097 com.apple.loginwindow Attempting to unlock the data volume <LFVolume: 0x6000001b8e40: [UUID]: Data>
30.883172 "AppleSEPKeyStore":3814:0: Sending notification for volume [UUID] unlocked (action 1, handle -842987934)
30.885459 com.apple.login volume <LFVolume: 0x6000001b8e40: [UUID]: Data> was unlocked
30.886129 com.apple.loginwindow Unlocked data volume <LFVolume: 0x6000001b8e40: [UUID]: Data>
30.886154 com.apple.loginwindow FileVault volume unlocked, allow authorization
30.887562 com.apple.loginwindowLite -[LWLSystemUnlock unlockSystem]:439: Authorization was successful
30.887587 com.apple.loginwindowLite -[LWLSystemUnlock unlockSystem]:447: logging in user hoakley
The times on those entries were deliberately delayed, as I pressed the Return key for password entry after 30 seconds had elapsed, a good 10 seconds later than I could have done so.

Shortly after that, the kernel manager shuts down, a great many kernel space processes are handed over to continue in userspace, and you’ll then see the kernel report
userspace boot

Before the Data volume is unlocked, log entries are frequent, but hardly a torrent, at around 1,000 per second, and more than 25% of them are written by the kernel. Once the kernel has booted userspace and the Data volume is accessible, log entries are written far more frequently, at an average rate of 5,000 per second, often even higher, with less than 10% of them coming from the kernel.

Phase summary

• Boot ROM, entering DFU mode or handing over to
• Low-Level Bootloader (LLB) and iBoot (Stage 2) firmware, without log entries, handing over to
• the kernel, with wallclock adjustments, until
• Data volume unlocking, then into
• userspace and access to /Library and user files.

There are so many controls in macOS that sometimes you can’t see the wood for the trees. This can leave uncertainty over essentials, such as whether your Apple silicon Mac really is properly secure, or maybe there’s something sinister going on with it? This is a question I’m asked not infrequently, usually when someone has been spreading disinformation or FUD (fear, uncertainty, doubt). So how can you check that your Mac is properly locked down and boots securely?

Quick checks

There are two quick checks that cover the essentials. First, open System Information and select the Controller section in Hardware.

This provides a brief summary of your Mac’s boot security, which should read as shown above. If you still need to use a kernel extension or similar, your Mac might show Reduced Security with Allow All Kernel Extensions enabled, but you should do everything you can to avoid that.

Secure Boot is controlled using Startup Security Utility in Recovery mode, and if you care to start up in that mode, you can confirm or correct its settings there.

Back in normal user mode, open Privacy & Security settings and ensure you have FileVault enabled there.

SilentKnight also checks that XProtect/Gatekeeper checks are enabled, and that security data are up to date, giving you complete confidence.

Details

Although those should be sufficient for most, some want to go further and verify that their Mac’s boot process and security systems are also working correctly. To do that, shut your Mac down, wait ten seconds or so, and start up normally with the startup chime sounding at a known time. Enter your password, wait a few seconds for the Finder to get set up and running, and open LogUI. Set its time to that of the startup chime, and get the first 10 seconds or 10,000 log entries. You may need to adjust the seconds to capture the full boot sequence. When you have, look through the log and identify the following waypoints.

In each of these log entries, I have emboldened a word or two that you can copy from here and paste into LogUI’s Search box, then press Return. That will display the log entry, and sometimes others you might find relevant. Times are given here in seconds, with the startup chime occurring at about 37 seconds. Version numbers shown are those for macOS 15.6.

The start of boot is recorded as
37.562774 === system boot: [UUID]
and a little while after that, the kernel declares its version details
42.759300 Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:40 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T6041
for macOS 15.6.

Further down you’ll come across more information about key security components, including the Trusted Execution Monitor
43.060422 [Log]: Code Signing Monitor Image4 Module Version 7.0.0: Fri Jul 11 16:51:29 PDT 2025; root:AppleImage4_txm-320.100.22~1090
43.060447 [Log]: build variant: txm.macosx.release.TrustedExecutionMonitor_Guarded-135.100.37

Then the iBoot firmware version
43.061758 iBoot version: iBoot-11881.140.96
43.061760 iBoot Stage 2 version: iBoot-11881.140.96

CoreCrypto support is vital, and another Image4 extension
43.137635 FIPSPOST_KEXT [133796636] fipspost_post:154: [FIPSPOST][Module-ID] Apple corecrypto Module v18.3 [Apple silicon, Kernel, Software, SL1]
43.242334 Darwin Image4 Extension Version 7.0.0: Mon Jul 14 11:23:46 PDT 2025; root:AppleImage4-320.100.22~2585/AppleImage4/RELEASE_ARM64E

You should see entries reporting the loading of security policy components
43.242343 Security policy loaded: AppleImage4 hooks (AppleImage4)
43.242961 Security policy loaded: Apple Mobile File Integrity (AMFI)
43.243092 Security policy loaded: Seatbelt sandbox policy (Sandbox)

The Secure Enclave Processor or SEP is another key component that has to be started up
43.264594 "AppleSEPKeyStore":326:0: starting (BUILT: Jul 14 2025 23:34:10) ("normal" variant 🌽 , 1827.120.2)
43.264639 "AppleSEPKeyStore":471:0: _sep_enabled = 1

Apple System Policy should follow a bit later
43.760156 Security policy loaded: Apple System Policy (ASP)
43.760188 AppleSystemPolicy has been successfully started

The root of the file system is then identified in two entries whose origins go right back to the start of Mac OS X
43.940643 BSD root: disk3s1
43.940644 , major 1, minor 13

And APFS mounts the root file system, using the SSV snapshot
43.941048 apfs_vfsop_mountroot:2984: apfs: mountroot called!
44.034685 apfs_vfsop_mount:2763: disk3s1 Rooting from snapshot with xid 1724240.

One of the most important entries comes shortly after that, where successful validation of the SSV’s root hash is reported
44.038830 authenticate_root_hash:642: disk3s1 successfully validated on-disk root hash

It’s now time to start user space processes, and for that launchd must be loaded so it can launch everything else
44.103761 load_init_program: attempting to load /sbin/launchd

How Secure Boot works

Apple silicon Macs have a small ROM to support DFU mode in case a full Restore is required, and to check and load the first stage of the ‘firmware’, the Low-Level Bootloader or LLB. Only if that matches its signature will the ROM firmware hand over to it and proceed with the boot process. The LLB in turn performs the same checks on the second stage ‘firmware’, iBoot proper. That goes on to check the kernel, before loading that and handing over for kernel boot to take over.

iBoot ‘firmware’ doesn’t write anything in the log, but once the kernel takes over its log entries provide a detailed account of its progress. The great majority of its log entries are unintelligible to anyone outside Apple, but the waypoints I have given above identify some of the most important steps it takes. When it’s ready, the kernel validates the root hash for the SSV snapshot, as noted above, enabling the boot process to proceed to load and run other parts of macOS. The remaining hash checking of the SSV, to confirm that it’s exactly as Apple intends, proceeds in a ‘lazy’ fashion, as access is needed to its contents.

This chain of validation before loading the next stage ensures that nothing in the boot process can be tampered with or changed, and the boot is secure throughout. Apple provides further details in its Platform Security Guide.

By now your Mac should have the latest macOS update installed, and be running the current firmware. This article takes stock of where EFI, T2 and Apple silicon firmware are now, and where they’re heading with the forthcoming release of macOS 26 Tahoe in a month or two.

For many years, the only way your Mac will have its firmware updated is when macOS or one of its updates is installed on it. There is one significant exception to that, in Apple silicon Macs, whose firmware will be completely replaced when it’s put into DFU mode and restored from an IPSW file.

Each macOS update or full installer comes with the firmware current at the time Apple built it. So if your Mac is still running macOS 12.7.6 Monterey and has never installed any later version, it will have the firmware that came with that, such as iBoot 10151.140.19, or T2 version 2022.140.5.0.0 with iBridge 21.16.6074.0.0,0.

Note that firmware is updated whether macOS is installed or updated on the internal storage, or on an external disk. So if your Mac’s internal SSD is still running 12.7.6, but it has been used to update Ventura to 13.7.7 on an external SSD, then it will have the firmware brought in that version of Ventura, rather than that for Monterey. That doesn’t of course apply to macOS installed in any virtual machines, as they can’t update the host firmware.

Intel Macs without T2 chips

All these models appear to have reached the end of their EFI firmware updates, with the versions shown.
iMac:

• iMac18,1 529.140.2.0.0
• iMac18,3 529.140.2.0.0
• iMac19,1 2075.100.3.0.3

MacBook:

• MacBook10,1 529.140.2.0.0

MacBook Pro:

• MacBookPro14,1 529.140.2.0.0
• MacBookPro14,2 529.140.2.0.0
• MacBookPro14,3 529.140.2.0.0

All those date from 23 June 2024, apart from that for the iMac19,1, whose latest firmware is from March 2025. Although the latter could still be updated in a security update to Sonoma or Sequoia, that now looks increasingly unlikely.

Intel Macs with T2 chips

The current EFI version is 2075.140.4.0.0 and iBridge is 22.16.16083.0.0,0, and those are likely to continue to be updated over the coming year. However, T2 models still running macOS Ventura are likely to stay there, unless Apple releases one final extra update. To ensure that your T2 Mac continues to get firmware updates, it now needs to be running Sonoma or later.

Apple silicon Macs

The current iBoot version is 11881.140.96, and that is sure to see a substantial update with the release of macOS 26.0, and in the simultaneous security updates for Sequoia and Sonoma. However, any Apple silicon Mac still running Ventura or earlier will be running an older version of iBoot that it can’t update, unless it installs or updates a more recent macOS in another boot volume group, such as on an external disk.

Apple Studio Display

Display firmware remains at version 17.0 (build 21A329) as it was when updated with macOS Sonoma nearly two years ago in September 2023. Although there’s no sign of any update with the beta-test versions of Tahoe, maybe it’s likely that this will be updated with macOS 26.0 and its associated security updates.

Check

The currently installed firmware version is displayed in System Information, by selecting the Hardware item at the top left. It’s also checked against the current version in SilentKnight. However, in recent Mac models with T2 or Apple silicon chips it’s most unlikely to differ from that brought with the latest version of macOS that Mac has installed or updated. Macs without T2 chips were less reliable, and some older models often failed to update when expected. Thankfully that’s now a problem of the past. If there’s one thing you should be able to trust it’s firmware updating.

From its first announcement of Apple silicon Macs on 22 June 2020, there has been speculation as to when support of Intel models will cease. Now Apple has given exceptionally clear details of its future intentions, and we have a clearer idea of what’s coming in macOS Tahoe, we can make plans at last. This article looks at the years ahead. In each case, major events are scheduled to occur with the annual transition of macOS to the next major version, normally in September-October.

2025

Final security update for macOS 13 Ventura, ending support for:

• iMac 18,1-3
• MacBook 10,1
• MacBook Pro 14,1-3.

If you’re still running Ventura on a Mac capable of Sonoma or later, now is the time to plan the upgrade.

2026

Final security update for macOS 14 Sonoma, ending support for:

• MacBook Air 8,1-2.

First release of an Arm-only version of macOS, 27. However, that and all its updates will continue to include full support for running Intel binaries using Rosetta 2 translation. macOS 27 will be the last major version that supports Rosetta 2 fully in Virtual Machines.

2027

Final security update for macOS 15 Sequoia, ending support for:

• iMac 19,1-2
• iMac Pro
• Mac mini 8,1
• MacBook Air 9,1
• MacBook Pro 15,1-4 16,3.

First release of macOS 28, with full Rosetta 2 support removed. Limited Intel binary support will continue for “older unmaintained gaming titles” only. As a result, virtual machines running macOS 28 will no longer be able to run most Intel binaries.

2028

Final security update for macOS 26 Tahoe, ending support for all remaining Intel models:

• iMac 20,1-2
• Mac Pro 7,1
• MacBook Pro 16,1-2 16,4.

T2 firmware updates are almost certain to cease with the end of support for macOS 26. Major third-party vendors are likely to stop providing Universal binaries, as they too drop support for macOS 26 and Intel models. Apple may decide to remove x86 support from Xcode 29, but hasn’t yet made any statement either way.

Benefits of upgrading macOS in Intel models

Although macOS Sequoia and Tahoe have brought some new features for Intel Macs, much of Apple’s emphasis now requires Arm systems. Major reasons for upgrading your Intel Mac to the most recent version of macOS it can run include:

• Third-party support. Major software vendors like Microsoft normally only support their products on versions of macOS still supported by Apple.
• Safari is only updated in supported versions of macOS.
• Bug fixes. Although new versions bring their own bugs, the chances of an existing bug being fixed in the current release of macOS are far greater than it being fixed in an older version.
• Security vulnerabilities. Only the current version of macOS gets a full set of fixes in each round of security updates, and the older two supported versions often lag the current one.
• Enhancements. Some new features are still provided for both platforms.
• Compatibility. If you already use Apple silicon Macs, or intend doing so, they are more compatible when running the same version of macOS. One topical example is Tahoe’s new ASIF disk image format.
• Quantum-secure encryption. Apple has already started to transition to cryptographic techniques designed to remain secure as and when quantum computers are used in the future to break older methods. This started with iMessage last year, and Apple has announced that macOS 26 Tahoe will support quantum-secure encryption in TLS. This is unlikely to be added retrospectively to older versions of macOS.

I hope you find that helpful in your planning, and wish you success in whatever you choose.