7.1 Extensible Firmware Interface (EFI) password

Information

EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load macOS from, and it also determines whether the user can enter single user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode and protection against firewire DMA attacks. While it was easier in the past to reset the firmware password by removing RAM, it did make tampering slightly harder because having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to manage the firmware password on macOS computers, though some tools did make it much easier.

Apple patched OS X in 10.7 to mitigate the DMA attacks, and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses single user mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.

Starting in late 2010 with the MacBook Air Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password effectively more critical if it is used.

Setting the firmware password may be a good practice in some environments. We cannot recommend it as a standard security practice at this time.

http://support.apple.com/kb/ts3554

https://jamfnation.jamfsoftware.com/article.html?id=58

http://derflounder.wordpress.com/2012/02/05/protecting-yourself-against-firewire-dma-attacks-on-10-7-x/

http://derflounder.wordpress.com/2013/04/26/booting-into-single-user-mode-on-a-filevault-2-encrypted-mac/




Impact:

In environments where strict processes are mandated for change control, allowing the user to boot to recovery and possibly change configurations on the boot volume will be unacceptable. The risk analysis for this control is that the user of the computer already has login rights, decryption rights, and access to user data. In most known use cases device management controls will be sufficient to mitigate and discover insider threat control circumvention. Some organizations will not accept the risk of even temporary control changes on devices and may need set an EFI password to block unauthorized changes even from trusted insiders.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

None

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, CSCv7|2

Plugin: Unix

Control ID: b8bcf8d01c3adba7495273b8d57210fa0e4cd0fc781cbd1bbde96e78e40b2a3b