Price of Intel Xeon W with 14 and 18 Cores…

Intel recently released the Xeon W processor line with the following price tags:

Intel® Xeon® W-2155 $1440
Intel® Xeon® W-2145 $1113
Intel® Xeon® W-2135 $835
Intel® Xeon® W-2133 $617
Intel® Xeon® W-2125 $444
Intel® Xeon® W-2123 $294

But the processors with fourteen and eighteen cores will only be released in Q4 and thus their price is still unknown. But are they? I mean. Come on. Have a look at the Intel processor price list. Take a look at these:

E5-2650 v4 $1445
E5-1660 v4 $1113
E5-1650 v4 $617
E5-2623 v3 $444
E5-1620 v4 $294

Do you see what happened there? Well. In that case you probably come to the same conclusion for these two:

Intel® Xeon® W-2195 $2424 (same as E5-2695 v4)
Intel® Xeon® W-2175 $1846 (same as E5-2683 v4)

Both guesstimates, but one thing is for sure, and that is that they will be bloody expensive. Man. AMD must be partying all day long…

Edit: The price of the Intel® Xeon® W-2195 is even higher. A whopping $2553
The price of the Intel® Xeon® W-2175 will probably be closer to $1950. The latter is based on the per-core price.

Advertisement

iMac Pro comes with Xeon W Processor…

The wait is over. Intel today formally released the Xeon W processors and here are the two known processors that will be used in the new iMac Pro:

Intel Xeon W-2140B @ 3.2GHz ( 8 cores and 16 threads)
Intel Xeon W-2150B @ 3.0GHz (10 cores and 20 threads)

Edit: Processor models updated. Based on the Geekbench Compute results that I found.

The processors requires a C422 chipset for full support. Just like I said back in June. I also like what Intel did – they basically renamed the E5-1600 series. Now people know what a workstation processor is, but the Intel product specifications however still mentions: “Vertical Segment Server” and that is confusing.

Edit: There are no power management resource plists for the Xeon W processors, not even in DP-8. That also means, probably, that the board-id that I used back in June, is wrong. I think that we will find a new one some day soon.

Note: The references to Purley in the firmware were a bit puzzling, but they seem to share the same Intel source code.

Yah! Gigabyte said to provide me with a motherboard for this processor line, and Intel will ship two processors next Monday!

User Approved Kernel Extension Loading…

Apple is trying to improve security on the Mac, and starting with macOS High Sierra,
kernel extensions that are installed with or after the installation of macOS High Sierra, will require user consent in order to load signed kernel extensions. This new feature should also make us more aware about the kernel extensions that we have installed. Some of which we may no longer need. After all. Not every uninstaller does what it should do.

Ok. Let me start with an example:

This is what I got when I tried to load the Intel kernel extension (with sudo kextload EnergyDriver.kext) from a terminal window.

Please note that there is nothing wrong with this extension. It simply wasn’t there, because I did a fresh installation of macOS High Sierra (a Developer Beta) and thus I had to allow it.

Anyway. Let’s have a look at the updated Security and Privacy preference panel, with a new button to allow blocked kernel extension. Here it is:

It shows you the name of the developer. In this example it’s one from ‘Intel Corporation Apps’. And when you ‘Allow’ a blocked kernel extension, then the entry in the SQL database (KextPolicy) for this developer (per TeamID) will be updated accordantly.

Ok. Everything so far should be clear. Oh. One more thing. This feature is also known as User Approved Kernel Extension Loading. And any user can approve a kernel extension, even one without administrator privileges. Wait. What? Yup. Read this:

Kernel extensions don’t require authorization if they:

Were on the Mac before the upgrade to macOS High Sierra.
Are replacing previously approved extensions.

This also explains why I had to allow the Intel kernel extension. Because it wasn’t there before, and I had not approved it already. You may now wonder if we can we disable this new feature. No worries. You can. Here’s what Apple has to say about disabling this feature:

If you want to disable User Approved Kernel Extension Loading, boot into macOS Recovery and use the spctl command. Run the command by itself to get more information about how to use the spctl command.

That’s it. You’re on your own. There is no detailed information about what you can, should and should not (try to) do. Great.

Let’s start with the output of it

Apple-iMacPro:~ Apple$ spctl

System Policy Basic Usage:
     spctl --assess [--type type] [-v] path ... # assessment
     spctl --add [--type type] [--path|--requirement|--anchor|--hash] spec ... # add rule(s)
     spctl [--enable|--disable|--remove] [--type type] [--path|--requirement|--anchor|--hash|--rule] spec # change rule(s)
     spctl --status | --master-enable | --master-disable # system master switch

Kernel Extension User Consent Usage:
     spctl kext-consent ** Modifications only available in Recovery OS **
     status
          Print whether kernel extension user consent is enabled or disabled.
     enable
          Enable requiring user consent for kernel extensions.
     disable
          Disable requiring user consent for kernel extensions.
     add
          Insert a new Team Identifier into the list allowed to load kernel extensions without user consent.
     list
          Print the list of Team Identifiers allowed to load without user consent.
     remove
          Remove a Team Identifier from the list allowed to load kernel extensions without user consent.

Apple-iMacPro:~ Apple$ spctl kext-consent status

Kernel Extension User Consent: ENABLED

Apple-iMacPro:~ Apple$ spctl kext-consent disable

spctl: failed to store new configuration.

Apple-iMacPro:~ Apple$ sudo spctl kext-consent disable

Kernel Extension User Consent: DISABLED
Please restart for changes to take effect.

Apple-iMacPro:~ Apple$ sudo spctl kext-consent enable

Kernel Extension User Consent: ENABLED
Please restart for changes to take effect.

Apple-iMacPro:~ Apple$ spctl kext-consent list

spctl: no kext consent configuration found.

Apple-iMacPro:~ Apple$ sudo spctl kext-consent add 0123456789
Apple-iMacPro:~ Apple$ spctl kext-consent list

Allowed Team Identifiers:
0123456789

Apple-iMacPro:~ Apple$ sudo spctl kext-consent remove 0123456789
Apple-iMacPro:~ Apple$ spctl kext-consent list

Locating Your Team ID

The Team ID is a unique 10+ character string generated by Apple that’s assigned to your team. You can find your Team ID using your developer account.

To locate your Team ID

Sign in to developer.apple.com/account and click Membership in the sidebar. Your Team ID appears in the Membership Information section under the team name.

NVRAM data
There are two properties that I would like to mention here. The first one being csr-active-config and the second one being csr-data. Let’s first have a look at a snippet from the output of

Apple-iMacPro:~ Apple$ nvram -xp

<key>csr-active-config</key>
<data>
gAIAAA==
</data>
<key>csr-data</key>
<data>
PGRpY3Q+PGtleT5rZXh0LWFsbG93ZWQtdGVhbXM8L2tleT48YXJyYXk+PHN0cmluZz4w
MTIzNDU2Nzg5PC9zdHJpbmc+PC9hcnJheT48L2RpY3Q+AA==
</data>

Apple-iMacPro:~ Apple$ echo -n gAIAAA==|base64 --decode|xxd -ps

0x80020000 (feature disabled)

Apple-iMacPro:~ Apple$ echo -n gAAAAA==|base64 --decode|xxd -ps

0x80000000 (feature enabled)

Note: You can use my csrstat command line tool to check the status of all SIP settings!

The base64 data of csr-data property is a dictionary with an array of all allowed team identifiers. Here is the one from our example

<dict>
    <key>kext-allowed-teams</key>
    <array>
        <string>0123456789</string>
    </array>
</dict>

And the csr-data property will still be there when you removed all team identifiers, but then with an empty array. Like this.

<dict>
    <key>kext-allowed-teams</key>
    <array>
    </array>
</dict>

Reset NVRAM will revert to its default state with User Approved Kernel Extension Loading enabled.

Enrolling in Mobile Device Management (MDM) automatically disables User Approved Kernel Extension Loading. The behavior for loading kernel extensions will be the same as macOS Sierra.

A future update to macOS High Sierra will allow you to use MDM to enable or disable User Approved Kernel Extension Loading, and to manage the list of kernel extensions which are allowed to load without user consent. If that is before or after the official release of macOS High Sierra is not known.

But you know what. All extensions in the prelinkedkernel are stripped. There is no data of the signature. Apple (still) relies on tools to check the kexts signature, before inclusion in the prelinkedkernel, and somehow, that doesn’t feel right.

Update: The configuration is stored in: /var/db/SystemPolicyConfiguration/KextPolicy. I also found the SQL statements that spctl and systempolicyd are using to initialise and update the database:

DROP TABLE IF EXISTS kext_load_history

DROP TABLE IF EXISTS kext_load_history_v2

DROP TABLE IF EXISTS policy_by_team

DROP TABLE IF EXISTS policy_by_team_v2

DROP TABLE IF EXISTS policy_by_cdhash

DROP TABLE IF EXISTS policy_by_cdhash_v2

DELETE FROM kext_policy WHERE team_id = ?1 AND bundle_id = ?2

DELETE FROM kext_load_history_v3 WHERE team_id = ?1 AND bundle_id = ?2

SELECT bundle_id, developer_name FROM kext_policy WHERE team_id IS NULL

UPDATE kext_policy SET developer_name = ?1 WHERE team_id IS NULL and bundle_id = ?2

CREATE TABLE IF NOT EXISTS kext_load_history_v3 ( path TEXT PRIMARY KEY, team_id TEXT, bundle_id TEXT, boot_uuid TEXT, created_at TEXT, last_seen TEXT, flags INTEGER )

CREATE TABLE IF NOT EXISTS kext_policy ( team_id TEXT, bundle_id TEXT, allowed BOOLEAN, developer_name TEXT, flags INTEGER, PRIMARY KEY (team_id, bundle_id) )

SELECT allowed, flags FROM kext_policy WHERE team_id = ?1 AND bundle_id = ?2

SELECT allowed, flags FROM kext_policy WHERE team_id IS NULL AND bundle_id = ?2

SELECT allowed FROM kext_policy WHERE team_id = ?1", 0

INSERT INTO kext_policy (team_id, bundle_id, allowed, developer_name, flags) VALUES (?1, ?2, ?3, ?4, ?5)

UPDATE kext_policy SET allowed = ?3, flags = ((flags & ~?4) | ?5) WHERE team_id = ?1 AND bundle_id = ?2

UPDATE kext_policy SET allowed = ?3, flags = ((flags & ~?4) | ?5) WHERE team_id IS NULL AND bundle_id = ?2

UPDATE kext_policy SET flags = (flags | ?3) WHERE team_id = ?1

UPDATE kext_policy SET flags = (flags | ?3) WHERE team_id IS NULL AND bundle_id = ?2

SELECT 1 FROM kext_load_history_v3 WHERE path = ?1

SELECT flags FROM kext_load_history_v3 WHERE path = ?1

UPDATE kext_load_history_v3 SET team_id = ?2, bundle_id = ?3, flags = ?4, last_seen = datetime('now') WHERE path = ?1

INSERT INTO kext_load_history_v3 (path, team_id, bundle_id, boot_uuid, created_at, last_seen, flags) VALUES (?1, ?2, ?3, ?4, datetime('now'), datetime('now'), ?7)

SELECT created_at FROM kext_load_history_v3 WHERE team_id = ?1 AND bundle_id = ?2

SELECT created_at FROM kext_load_history_v3 WHERE team_id IS NULL AND bundle_id = ?2

SELECT last_seen FROM kext_load_history_v3 WHERE team_id = ?1 AND bundle_id = ?2

SELECT last_seen FROM kext_load_history_v3 WHERE team_id IS NULL AND bundle_id = ?2

SELECT 1 FROM kext_load_history_v3 WHERE team_id = ?1 AND bundle_id = ?2 AND (flags & ?3) = ?3 AND boot_uuid != ?4

SELECT 1 FROM kext_load_history_v3 WHERE team_id IS NULL AND bundle_id = ?2 AND (flags & ?3) = ?3 AND boot_uuid != ?4

SELECT DISTINCT team_id FROM kext_policy WHERE team_id IS NOT NULL

SELECT bundle_id, developer_name, allowed FROM kext_policy WHERE team_id = ?1

SELECT bundle_id, developer_name, allowed FROM kext_policy WHERE team_id IS NULL

SELECT path, flags FROM kext_load_history_v3 WHERE team_id = ?1 AND bundle_id = ?2

SELECT path, flags FROM kext_load_history_v3 WHERE team_id IS NULL AND bundle_id = ?2

SELECT 1 FROM kext_policy WHERE flags & ?1 = ?1

UPDATE kext_policy SET allowed = 0, flags = ((flags & ~?1) | ?2) WHERE allowed = 1

You can use the above SQL statements with either /usr/bin/sqlite3 or some GUI app. Here is an example of the KextPolicy database:

Edit: The SQL database has two tables (kext_load_history_v3 and kext_policy). Let’s get going:

1.) open a terminal window and enter:

/usr/bin/sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

2.) Enter:

sqlite> .tables

The result should be: kext_load_history_v3, kext_policy The two tables in the policy database.

We’re now going to get some data from the database. Enter one, or both, of the following SQL statements:

sqlite> SELECT path, bundle_id, team_id, boot_uuid, created_at, last_seen, flags FROM kext_load_history_v3;

Result:

/Library/Extensions/CIJUSBLoad.kext|jp.co.canon.ij.print.CIJUSBLoad|XE2XNRRXZ5|D2E6A228-1C85-4138-9CC5-253105DF1BDC|2017-08-31 10:58:46|2017-09-01 13:45:49|9
/Library/Extensions/BJUSBLoad.kext|jp.co.canon.bj.print.BJUSBLoad|XE2XNRRXZ5|D2E6A228-1C85-4138-9CC5-253105DF1BDC|2017-08-31 10:58:46|2017-09-01 13:45:49|1
/Library/Extensions/EnergyDriver.kext|com.intel.driver.EnergyDriver|Z3L495V9L4|D4829428-7105-425D-830E-A69DCAADD558|2017-09-01 13:30:23|2017-09-01 13:34:41|1
/Applications/Intel Power Gadget/EnergyDriver.kext|com.intel.driver.EnergyDriver|Z3L495V9L4|D4829428-7105-425D-830E-A69DCAADD558|2017-09-01 13:34:52|2017-09-01 13:55:30|5

Or just:

SELECT * FROM kext_load_history_v3;

Giving you the same output. Let’s do that for the policy table as well.

3.) Enter:

sqlite> SELECT team_id, bundle_id, allowed, developer_name, flags FROM kext_policy;

Result:

XE2XNRRXZ5|jp.co.canon.bj.print.BJUSBLoad|1|Canon Inc.|0
XE2XNRRXZ5|jp.co.canon.ij.print.CIJUSBLoad|1|Canon Inc.|0
Z3L495V9L4|com.intel.driver.EnergyDriver|1|Intel Corporation Apps|1

Or just:

SELECT * FROM kext_policy;

Again. Giving you the same kind of output. And with this information we can delete the history of a kext. Let’s do that for the Intel EnergyDriver.kext If you do not have this driver installed, then just pick another.

4.) Enter:

sqlite> DELETE FROM kext_load_history_v3 WHERE team_id = 'Z3L495V9L4';

Done. Let’s also delete the policy for this kext.

5.) Enter:

sqlite> DELETE FROM kext_policy WHERE team_id = 'Z3L495V9L4';

Please note that I used the team_id in my examples, but you can also use the bundle_id or developer_name.

6.) you can now exit sqlite3 by entering:

.quit

Currently there is (still) no formal way to change the data, but that should change in a future update of High Sierra.

Please note that you can only change the data from the RecoveryOS. Please do not mess with the data. This is just a reference for developers and hackers alike. This is not intended for end users!

p.s. I love this one:

“You can set a firmware password on your Mac to prevent unauthorized changes to NVRAM.”

Yes. You better do that. Or wait. Just look at that command prompt (Apple-iMacPro:~ Apple) showing you that I changed the setting from a macOS High Sierra terminal window, as administrator 🙂

BUG… BUG… BUGREPORTER !!!

New HandyScript called installSeed.py

You may have used one of my HandyScripts to install High Sierra. The problem with these scripts was that I had to update them for every new Developer Preview. And that was a burden. Taking too much time, and that is why I converted the bash scripts to a much smarter python variant. I started to work on it back in July, but it is still ugly, and I had never used it. Not until today.

Update: installSeed.py v1.7 includes bug fixes so you better use the latest version!

Updates: installSeed.py v1.8 is now available. This update downloads the correct i18n dictionary.
installSeed.py v1.9 is now available. This update includes minor cleanups and a version number error fix.
installSeed.py v2.0 is now available. This update exits gracefully, with instructions to install pip/request module.

Anyway. We first have to make some preparations. Open a terminal window and enter:

sudo easy_install pip
sudo pip install requests

That should get you ready for installSeed.py. The output of installSeed.py is pretty much similar to that of the previous bash scripts:

Available target volumes:

[ 0 ] MackintoshHD
[ 1 ] High Sierra

Select a target volume for the boot file: 1
Seed Program Enrollment: DeveloperSeed
File: BaseSystem.chunklist already there, skipping this download.
File: InstallESDDmg.pkg already there, skipping this download.
File: InstallAssistantAuto.pkg already there, skipping this download.
File: AppleDiagnostics.chunklist already there, skipping this download.
File: InstallESDDmg.chunklist already there, skipping this download.
File: OSInstall.mpkg already there, skipping this download.
File: InstallInfo.plist already there, skipping this download.
File: RecoveryHDMetaDmg.pkg already there, skipping this download.
File: BaseSystem.dmg already there, skipping this download.
File: AppleDiagnostics.dmg already there, skipping this download.
Creating installer.pkg ...
productbuild: Wrote product to /Volumes/High Sierra/tmp/091-30125/installer.pkg
Running installer ...
Password:
installer: Package name is Install macOS High Sierra Beta
installer: Installing at base path /Volumes/High Sierra
installer: The install was successful.
Copying: InstallESDDmg.pkg to the target location ...
Copying: AppleDiagnostics.dmg to the target location ...
Copying: AppleDiagnostics.chunklist to the target location ...
Copying: BaseSystem.dmg to the target location ...
Copying: BaseSystem.chunklist to the target location ..

The good thing (for me) is that with the introduction of installSeed.py I no longer need to update the file for every new Developer Preview.

Oh. One last note. The file /Users/Shared/.SeedEnrollment.plist should be this:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>SeedProgram</key>
		<string>DeveloperSeed</string>
	</dict>
</plist>

If you have a backslash in the first line, then please remove it before running installSeed.py

Have fun!

Collecting Intel Processor Data…

I am looking for specific information about Intel processors for a project that I am working on, and I hope that you are willing to help me with this. Here is one example of what I am looking for:

Intel® Core™ i7-5820K

https://ark.intel.com/products/82932/Intel-Core-i7-5820K-Processor-15M-Cache-up-to-3_60-GHz

Processor Brandstring....................: Intel(R) Core(TM) i7-5820K CPU @ 3.30GHz

Processor Signature..................... : 0x306F2
------------------------------------------
 - Family............................... : 6
 - Stepping............................. : 2
 - Model................................ : 0x3F (63)

MSR_IA32_PLATFORM_ID.............(0x17)  : 0x8000000000000
------------------------------------------
 - Processor Flags...................... : 2

Socket: FCLGA2011-3

And here is another example.

Intel® Core™ i7-6700 Processor

https://ark.intel.com/products/88196/Intel-Core-i7-6700-Processor-8M-Cache-up-to-4_00-GHz

Processor Brandstring....................: Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz

Processor Signature..................... : 0x506E3
------------------------------------------
 - Family............................... : 6
 - Stepping............................. : 3
 - Model................................ : 0x5E (94)

MSR_IA32_PLATFORM_ID.............(0x17)  : 0x4000000000000
------------------------------------------
 - Processor Flags...................... : 1

Socket: FCLGA1151

You can grab this information with help of AppleIntelInfo.kext (preferred) or by entering three commands in a terminal window:

sysctl -n machdep.cpu.brand_string
sysctl -xn machdep.cpu.signature
sysctl -xn machdep.cpu.processor_flag

Then visit ark.intel.com and select the processor family and processor model that you have. Now copy the link and let me know what you’ve got.

Note: One data set per processor model is enough.

Edit: The data for sockets FCLGA1151 and FCLGA2011-3 should now be covered, but if you have a different value in MSR(MSR_IA32_PLATFORM_ID) then please add yours!

Thank you!

The Geekbench’s Mac Benchmark Chart Is Pretty Much Useless…

The results of the Mac Benchmark Chart is stripped. Much of the important data is removed (from user submitted results). There is no information about the installed Operating System, Processor ID, Motherboard, BIOS and Memory. But you need to have this data, otherwise the results are completely useless. Just look at it:

What does that tell me? Nothing! Without the missing details, that could even be a coffee grinder. That’s how much I value it. Now it is meaningless, but it could have been so much better. For example. There should at least be one reference (link) to a user submitted Geekbench result where all data is visible. If not all of the used results. Also. You cannot compare one (Mac) result with another. And what about graphics?

Also. When you visit Mac Benchmark Chart and click on one of the links in the chart, then click on another link, then you’ll find that all links are broken. Look here:

This is what I get right now. Not good.

Well. I don’t know about you, but for now, I am going to ditch the Geekbench.app and look for something better. A tool / website that does not hide significant details. Stuff that is uploaded by users, and then get ripped out of the results.

Ehm. No. I have no idea why Geekbench does this. I’m sure that the links will get fixed. Sooner or later. But we can only hope that the Mac chart will be improved and made meaningful again.

Edit: I don’t have access to my e-mail and can’t contact Geekbench right now, but someone (else) should at least inform them about the broken links. Thank you!

Update: Good news. The broken links are now fixed. Now, please, add references. Thank you!

HomePod detection located in High Sierra…

Ok. This is news to me. So the “AudioAccessory” and “HomePod” are not the same things? That is. Not for IMFoundation.framework:

#define NSNotFound    NSIntegerMax

void * +[IMDeviceSupport marketingNameForModel:](void * self, void * _cmd, void * arg2) {
    r15 = arg2;
    if ([r15 rangeOfString:@"iPod"] == NSNotFound) {
            rbx = @"iPad";
            if ([r15 rangeOfString:rbx] == NSNotFound) {
                    rbx = @"iPhone";
                    if ([r15 rangeOfString:rbx] == NSNotFound) {
                            rbx = @"Mac";
                            if ([r15 rangeOfString:rbx] == NSNotFound) {
                                    if ([r15 rangeOfString:@"AppleTV"] == NSNotFound) {
                                            if ([r15 rangeOfString:@"Watch"] == NSNotFound) {
                                                    rbx = @"HomePod";
                                                    if ([r15 rangeOfString:@"AudioAccessory"] == NSNotFound) {
                                                            rbx = @"Mac";
                                                    }
                                            }
                                            else {
                                                    rbx = @"Apple Watch";
                                            }
                                    }
                                    else {
                                            rbx = @"Apple TV";
                                    }
                            }
                    }
            }
    }
    else {
            rbx = @"iPod touch";
    }
    rax = rbx;
    return rax;
}

So basically what happens here is that if it finds an “AudioAccessory” (as product/model identifier) then it returns “HomePod”. So that we, the users, know what it is. Fine. Not a big deal.

The string “HomePod” can also be found in Sharing.framework

Time to get some food. I’m hungry…

Edit: Right. Someone spotted an error – see comments. Fixed. Thank you. Back to my food now.

Cool. I also found some interesting strings. I think that this is for a (future) HomePod setup app on Mac’s.

	<key>MY_HOME</key>
	<string>My Home</string>

	<key>ROOM_BATHROOM</key>
	<string>Bathroom</string>
	<key>ROOM_BEDROOM</key>
	<string>Bedroom</string>
	<key>ROOM_DEFAULT</key>
	<string>Default Room</string>
	<key>ROOM_DINING_ROOM</key>
	<string>Dining Room</string>
	<key>ROOM_GARAGE</key>
	<string>Garage</string>
	<key>ROOM_HALLWAY</key>
	<string>Hallway</string>
	<key>ROOM_KITCHEN</key>
	<string>Kitchen</string>
	<key>ROOM_LIVING_ROOM</key>
	<string>Living Room</string>
	<key>ROOM_MASTER_BEDROOM</key>
	<string>Master Bedroom</string>
	<key>ROOM_OFFICE</key>
	<string>Office</string>
	<key>ROOM_PATIO</key>
	<string>Patio</string>

I can’t remember it, but haven’t we seen this before? For the AppleTV maybe?

Scripts to install High Sierra DP7 (17A352a)…

We have a new handy script (install_1013_DP7_17A352a.sh) to install macOS High Sierra Beta DP-7.

The installer.pkg created by the script will simulate the App Store download and installation method, and all you have to do is:

1.) Run install_1013_DP7_17A352a.sh
2.) Run /Applications/Install macOS High Sierra Beta.app
3.) Reboot

Notes: I have yet to try the scripts myself – I cannot download the files right now (we’re still at sea). Also. You may want to run checkAPFSSettings.sh in single-user mode.

Please note that the App Store.app downloads files to: /Library/Updates but this script will use: /tmp/091-28482 and the downloaded files will be gone after a reboot, so you may want to make a backup of the files!

Note: The preferred way of installing / upgrading High Sierra (DP-7) on a Mac is to use the App Store !!!

Thanks!

Apple’s eficheck…

Ok. So you use Clover with an AMI or Phoenix BIOS. Well. In that case you may be interested in this:

This is part of routines that wipe data in the generated dump, but why would Apple do this for AMI/Phoenix BIOS? That is PC only ROM?!?

Edit: Privacy matters, and that is why Apple clears certain sensible areas.

Oh yeah. I should add that this can be found in this binary: /usr/libexec/firmwarecheckers/eficheck

usage: eficheck: [ --save -b  ]
                 [ --cleanup -b  ]
                 [ --generate-hashes [ -b  ] [ -p  ] ]
                 [ --integrity-check [ -h  [ -b  ] ] ]
                 [ --show-hashes [ -h  ] | [ -b  ] ]

	Examples:
	  'eficheck --save -b firmware.bin'
		 Save this system's EFI firmware as firmware.bin
	  'eficheck --cleanup -b firmware.bin'
		 Overwrite the EFI variables portion of the firmware, enabling the file to be shared for analysis
	  'eficheck --generate-hashes'
		 Analyze the current system's installed EFI firmware, and store the hashes into hash file(s) in current folder
		 File name(s) will be selected according to image's EFI version(s)
	  'eficheck --generate-hashes -b firmware.bin'
		 Analyze the firmware.bin, and store the hashes into hash file(s) in current folder
	  'eficheck --generate-hashes -p /usr/local/allowlists'
		 Analyze the current system's installed EFI firmware, and store the hashes into hash file(s) in /usr/local/allowlists folder
	  'eficheck --integrity-check'
		 Attempt to automatically determine which firmware you are running, and integrity check against the appropriate file, and report any differences
	  'eficheck --integrity-check -h /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle/allowlists/IM171.88Z.0105.B08.1604111319.0.ealf'
		 Compare the current system's EFI firmware against the Apple-provided expected measurements for an "iMac17,1" at firmware revision B08, and report any differences
	  'eficheck --integrity-check -h hash.ealf -b firmware.bin'
		 Compare the given hash file against against the given firmware image and report any differences
	  'eficheck --show-hashes'
		 Print the hashes for the current system's installed EFI firmware to stdout
	  'eficheck --show-hashes -b firmware.bin'
		 Print the hashes for the given firmware.bin to stdout
	  'eficheck --show-hashes -h allowlist.ealf'
		 Print the hashes for the given allowlist.ealf to stdout

Data is downloaded from: https://validation.isu.apple.com and the initial package (EFIAllowListAll.pkg) can be downloaded here. Which was later replaced with a new update, available here. You can find the local allow list at:

/usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle/allowlists

There is also EFIAllowListInternal.pkg for Apple engineers, but that is not a public download.

_IsInternalOsBuild calls csr_check(CSR_ALLOW_APPLE_INTERNAL) to differentiate between public and internal OS builds.

It works with /System/Library/Extensions/eficheck.kext which matches via PCI device-id’s with one of the Intel LPC Controller/eSPI Controllers in this list:

				<string>pci8086,1c41</string>
				<string>pci8086,1c42</string>
				<string>pci8086,1c43</string>
				<string>pci8086,1c44</string>
				<string>pci8086,1c46</string>
				<string>pci8086,1c47</string>
				<string>pci8086,1c49</string>
				<string>pci8086,1c4a</string>
				<string>pci8086,1c4b</string>
				<string>pci8086,1c4c</string>
				<string>pci8086,1c4d</string>
				<string>pci8086,1c4e</string>
				<string>pci8086,1c4f</string>
				<string>pci8086,1c50</string>
				<string>pci8086,1c52</string>
				<string>pci8086,1c5c</string>
				<string>pci8086,1d41</string>
				<string>pci8086,1e42</string>
				<string>pci8086,1e44</string>
				<string>pci8086,1e46</string>
				<string>pci8086,1e47</string>
				<string>pci8086,1e48</string>
				<string>pci8086,1e49</string>
				<string>pci8086,1e4a</string>
				<string>pci8086,1e53</string>
				<string>pci8086,1e55</string>
				<string>pci8086,1e56</string>
				<string>pci8086,1e57</string>
				<string>pci8086,1e58</string>
				<string>pci8086,1e59</string>
				<string>pci8086,1e5d</string>
				<string>pci8086,1e5e</string>
				<string>pci8086,1e5f</string>
				<string>pci8086,3b02</string>
				<string>pci8086,3b03</string>
				<string>pci8086,3b06</string>
				<string>pci8086,3b07</string>
				<string>pci8086,3b08</string>
				<string>pci8086,3b09</string>
				<string>pci8086,3b0a</string>
				<string>pci8086,3b0b</string>
				<string>pci8086,3b0f</string>
				<string>pci8086,3b12</string>
				<string>pci8086,3b14</string>
				<string>pci8086,3b16</string>
				<string>pci8086,8c44</string>
				<string>pci8086,8c4b</string>
				<string>pci8086,8cc1</string>
				<string>pci8086,8cc2</string>
				<string>pci8086,8cc3</string>
				<string>pci8086,8cc4</string>
				<string>pci8086,8cc6</string>
				<string>pci8086,8c41</string>
				<string>pci8086,8c42</string>
				<string>pci8086,8c44</string>
				<string>pci8086,8c46</string>
				<string>pci8086,8c49</string>
				<string>pci8086,8c4a</string>
				<string>pci8086,8c4b</string>
				<string>pci8086,8c4c</string>
				<string>pci8086,8c4e</string>
				<string>pci8086,8c4f</string>
				<string>pci8086,8c50</string>
				<string>pci8086,8c52</string>
				<string>pci8086,8c54</string>
				<string>pci8086,8c56</string>
				<string>pci8086,8c5c</string>
				<string>pci8086,8d44</string>
				<string>pci8086,8d47</string>
				<string>pci8086,9cc1</string>
				<string>pci8086,9cc2</string>
				<string>pci8086,9cc3</string>
				<string>pci8086,9cc5</string>
				<string>pci8086,9cc6</string>
				<string>pci8086,9cc7</string>
				<string>pci8086,9cc9</string>
				<string>pci8086,9c41</string>
				<string>pci8086,9c43</string>
				<string>pci8086,9c45</string>
				<string>pci8086,9d41</string>
				<string>pci8086,9d43</string>
				<string>pci8086,9d46</string>
				<string>pci8086,9d48</string>
				<string>pci8086,9d4b</string>
				<string>pci8086,9d4e</string>
				<string>pci8086,a145</string>
				<string>pci8086,a151</string>

So what is this? What does it mean?

Well. Apple is likely using eficheck as an extra layer of security. To verify your EFI ROM (checksum) against the original one in their EFI ROM database, with the checksum of files that were produced by Apple. Or that you are using some modified copy of their EFI ROM firmware. This may mean that your EFI ROM has been tampered with, or that it somehow got damaged. Which is when your broken EFI ROM is invalidated and then you will see this dialog:

Honestly. I personally had never seen it, but there you have it. Thanks to @stroughtonsmith. Anyway. Just don’t click “Send to Apple” on a hack. Or wait. Let’s just click that button and wait and see if the ROM’s checksum shows up in a next update – this may as well be a fully automated process, like Apple used to add unsigned kexts to OSKextExcludeList (think AppleKextExcludeList.kext).

But seriously. Does eficheck --integrity-check even work with a Clover setup? What is the console output that you get when you run it? And in case that works for you, then my next question would be; Is your personal/identifiable data really removed?

There is one other thing that I’d like to figure out, and that is why Apple reads the PlatformUUID. That should not be required. Not ever.

Edit: I changed the title after I figured out what this binary does, and it is good, be it a start only.

The LaunchDaemon can be found at:

/System/Library/LaunchDaemons/com.apple.driver.eficheck.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.apple.driver.eficheck</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/libexec/firmwarecheckers/eficheck/eficheck</string>
		<string>--integrity-check-daemon</string>
	</array>
	<key>ProcessType</key>
	<string>Background</string>
	<key>LaunchEvents</key>
	<dict>
		<key>com.apple.xpc.activity</key>
		<dict>
			<key>com.apple.driver.eficheck</key>
			<dict>
				<key>Interval</key>
				<integer>604800</integer>
				<key>Priority</key>
				<string>Maintenance</string>
			</dict>
		</dict>
	</dict>
	<key>EnablePressuredExit</key>
	<true/>
</dict>
</plist>

Run every seven days.

Xeon Microcode Located In iMac Pro Firmware…

Ok. I said to check the Intel microcode that Apple used in the “accidentally” released firmware for the iMac Pro and here it is;

The above image shows you the header of the Intel microcode that I located in the firmware file of the iMac Pro. The data in the red box is the CPUID.

Right. You need to know how to read it, but that 52 06 05 00 is CPUID 0x050652 of the Intel Xeon processor (B-0 stepping) in the iMac Pro.

This CPUID – and the one for the H-0 stepping – can be found in the Intel® Xeon® Processor Scalable Family datasheet (see: xeon-scalable-spec-update.pdf).

Edit: I checked the processor flags in the header (97 00 00 00) and that is exactly the same as what you see on X299 platforms. You can check this with:

sysctl -xn machdep.cpu.processor_flag

With a Skylake processor with CPU signature 0x000506e3 that is 0x00000001. You can check this with:

sysctl -xn machdep.cpu.signature

But perhaps it is better to use the latest version of AppleIntelInfo.kext (v2.7) since it logs all bits from MSR_IA32_PLATFORM_ID/0x17. Or some other tool that can dump the output of MSR_IA32_PLATFORM_ID.