manpagez: man pages & more
man eficheck(8)
Home | html | info | man

eficheck(8)               BSD System Manager's Manual              eficheck(8)


NAME

     eficheck -- check the integrity of the x86 flash chip firmware.


SYNOPSIS

     eficheck --integrity-check [-h EFI-hash-input-file]
              [-b EFI-binary-input-file]
     eficheck --show-hashes [-h EFI-hash-input-file]
              [-b EFI-binary-input-file]
     eficheck --generate-hashes [-h EFI-hash-output-file] [-p output-path]
     eficheck --save [-b EFI-binary-output-file]
     eficheck --cleanup [-b EFI-binary-input-and-output-file>]
     eficheck --version
     eficheck --help


DESCRIPTION

     eficheck is a tool to check the x86 flash chip firmware.

     The following commands can be used with eficheck:

     --integrity-check hashes portion of the firmware and compares against
     known-good hashes

     --generate-hashes outputs hashes for a given firmware to be used as
     known-good hashes

     --show-hashes shows the hashes for the sub-sections of the firmware which
     are measured

     --save saves the full flash chip contents to a binary file. Requires root
     privileges.

     --cleanup zeros any privacy-sensitive data (such as nvram), enabling the
     file to be shared for analysis.

     --version print out eficheck version number.

     --help display a short help.


EXAMPLES

            'eficheck --save -b firmware.bin'

                Save this system's EFI firmware as firmware.bin

            'eficheck --cleanup -b firmware.bin'

                Overwrite the EFI variables portion of the firmware.bin, in
     place

            'eficheck --generate-hashes'

                Analyze the current system's installed EFI firmware, and store
     the hashes into hash file(s) in current folder

                File name(s) will be selected according to image's EFI ver-
     sion(s)

            'eficheck --generate-hashes -b firmware.bin'

                Analyze the firmware.bin, and store the hashes into hash
     file(s) in current folder. Filename will be based on the detected
     firmware version.

            'eficheck --generate-hashes -p /usr/local/allowlists'

                Analyze the current system's installed EFI firmware, and store
     the hashes into hash file(s) in /usr/local/allowlists folder

            'eficheck --integrity-check'

                Attempt to automatically determine which firmware you are run-
     ning, and integrity check against the appropriate file, and report any
     differences

            'eficheck --integrity-check -h /usr/libexec/firmwarecheck-
     ers/eficheck/EFIAllowListShipping.bun-
     dle/allowlists/IM171.88Z.0105.B08.1604111319.0.ealf'

                Compare the current system's EFI firmware against the Apple-
     provided expected measurements for an "iMac17,1" at firmware revision
     B08, and report any differences

            'eficheck --integrity-check -h hash.ealf -b firmware.bin'

                Compare the given hash file against against the given firmware
     image and report any differences

            'eficheck --show-hashes'

                Print the hashes for the current system's installed EFI
     firmware to stdout

            'eficheck --show-hashes -b firmware.bin'

                Print the hashes for the given firmware.bin to stdout

            'eficheck --show-hashes -h IM171.88Z.0105.B08.1604111319.0.ealf'

                Print the hashes for the given allowlist to stdout

                                 May 25, 2017

Mac OS X 10.12.6 - Generated Sat Nov 4 14:39:51 CDT 2017
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.