Firmware matters
When a Mac starts up, it goes through three main phases:
Boot ROM, burned into permanent storage,
Pre-boot, loosely termed firmware, and run from separate Flash storage and the internal SSD (T2 and Apple silicon),
Kernel, loaded with its plethora of extensions from disk storage.
This article explains what that second stage does, and how it’s managed.
Boot ROM
The Boot ROM can only be altered by changing that Mac’s logic board, and is intended to provide the absolute minimum needed to get the Mac started and hand over to Pre-boot. In Apple silicon Macs, this requires verification of the Low-Level Bootloader (LLB), the first stage of Pre-boot. If that fails to verify or there’s another recoverable problem, then the Boot ROM is responsible for putting the Mac into DFU mode, then handling a Refresh or Restore over a USB cable. This explains why DFU mode can’t take advantage of a Thunderbolt connection: it’s limited to USB to minimise the hardware that needs to be driven by the Boot ROM.
Pre-boot
Before the kernel can be booted there’s a lot more hardware to be made available. In Apple silicon Macs, there’s also a series of verifications and validations to be performed. LLB verifies and loads system-paired firmware, reads NVRAM to discover the intended boot volume, validates its LocalPolicy stored on the internal SSD, reads and follows its configuration, locates the iBoot code, verifies that and hands over to it. iBoot takes over to verify and load macOS-paired firmware, the system trust cache, the signature on the SSV, verify kernel collections, and finally verifies, loads and runs the kernel.
Pre-boot also has to detect and handle variant boot sequences, most commonly starting up in Recovery. Intel Macs detect that through a key combination, so Bluetooth, USB and a basic keyboard driver all have to be loaded and run long before the kernel can start.
Apple silicon Macs handle this better and more securely, relying on the Power button instead. When Recovery mode is selected, the boot process changes to access the paired Recovery volume in the current boot volume group, from where a protected disk image has to be mounted and recoveryOS run from there. If the Power button signal has opted instead for Fallback Recovery, then the disk image is loaded from its hidden container on the internal SSD.
Intel Macs have a different fallback to cope with loss of normal and Recovery boot resources: remote or Internet Recovery. This requires the drivers to support a network connection, and downloading a disk image to boot from, which is considerably more complex than the equivalent DFU mode in Apple silicon Macs.
Firmware has changed with each switch of architecture. PowerPC-based Macs used Open Firmware, originally introduced by Sun, and based on the interactive programming language Forth. Intel processors brought the Extensible Firmware Interface, EFI or UEFI now it has become Unified, in common with most other PCs. When Apple added its T2 chip to Intel Macs, they booted the Intel side using UEFI, and the T2 using bridgeOS. Apple silicon Macs use a secure boot proprietary to Apple, including the LLB and iBoot.
Updates
Prior to the introduction of the T2 chip, Intel Macs had many different firmware versions. These converged into a single version for all with a T2 when running the same release of macOS, and so far all Apple silicon Macs have also had common firmware versions. While that simplifies updates considerably, it also means that pre-boot ‘firmware’ has to change more frequently. We should therefore expect firmware updates with each minor release of macOS, and sometimes with intermediate patch releases. At least they’re quicker and far less nerve-racking in Apple silicon Macs.
For many years now, Apple hasn’t provided separate firmware updates, but bundles them in macOS installers and updates. The only way to update a Mac’s firmware is thus to install macOS or one of its updates with the new firmware included. Basic rules apply to this:
Firmware updates are only installed in the Mac running the macOS installer or updater, and can’t be transferred using an external disk.
A Mac that installs or updates macOS on an external disk will have its firmware updated to the version installed by that installer or updater, even though that version of macOS isn’t installed on that Mac’s internal storage.
With one notable exception, firmware can only be updated to a newer version, and never downgraded to an earlier version.
Apple normally releases identical firmware updates to all the supported versions of macOS at the same time, to keep them in sync.
Once Apple ceases to support a version of macOS, there are no more firmware updates provided for it. The only way to update firmware then is to upgrade to a supported version of macOS, although you can upgrade or install that to an external disk. That might leave an older version of macOS running on the internal disk with a newer firmware version, though. While most find that compatible, it is a known risk.
Virtual Machines (VMs) install, update and run their own firmware entirely inside the VM. Updating a VM can never update the firmware of the host Mac.
Apple silicon Macs are different, in that performing a full Restore in DFU mode installs the firmware for that version of macOS, even when that’s older than the previous firmware. This is because a full Restore erases the existing firmware and replaces it with the firmware contained in the IPSW image that’s installed. That isn’t possible in Intel Macs because of their different firmware architecture.
