7.8 Extensible Firmware Interface (EFI) password


EFI is the software link between the motherboard hardware and the software operating system. EFI determines which partition or disk to load Mac OS X from, it also determines whether the user can enter single-user mode. The main reasons to set a firmware password have been protections against an alternative boot disk, protection against a passwordless root shell through single user mode and protection against firewire DMA attacks. In the past it was not difficult to reset the firmware password by removing RAM but it did make tampering slightly harder and having to remove RAM remediated memory scraping attacks through DMA. It has always been difficult to Manage the firmware password on OS X computers, though some tools did make it much easier.

Apple patched OS X in 10.7 to mitigate the DMA attacks and the use of FileVault 2 Full-Disk Encryption mitigates the risk of damage to the boot volume if an unauthorized user uses a different boot volume or uses Single User Mode. Apple's reliance on the recovery partition and the additional features it provides make controls that do not allow the user to boot into the recovery partition less attractive.

Starting in Late 2010 with the MacBook Air Apple has slowly updated the requirements to recover from a lost firmware password. Apple only supports taking the computer to an Apple authorized service provider. This change makes managing the firmware password well if used more critical.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Setting the firmware password may be good practice in some environments. We cannot recommend it as a standard security practice at this time.





See Also