No Set Firmware Password option under Startup Security Utility on MBP M1

[iphonefreak450]

As you can see from the image, I don’t see any Set Firmware Password option.

How can I set one?

 

[maflynn]

Here's what Apple wrote

Set a firmware password on your Mac

Does that help?

 

[iphonefreak450]

Since I have a MBP M1, the option to set a firmware password will not appear in the Startup Security Utility and therefore it is secured by FileVault encryption which I have turned On?

 

[maflynn]

Yeah, looks like what I provided wasn't very helpful sorry. I totally missed the big blurb about this being for intel and if you have an M1 filevault is all you get. That's what happens when you rush to post an answer - sorry

 

[iphonefreak450]

Just to confirm, that for M1s, there is no need to set a firmware password?

 

[NoBoMac]

No need as there isn't firmware in the traditional sense (BIOS, EFI).

From the Apple Security whitepaper.

https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf

On a Mac with Apple silicon, System Security Utility indicates the overall user-configured security state of macOS, such as the booting of a kext or the configuration of System Integrity Protection (SIP). If changing a security setting would significantly degrade security or make the system easier to compromise, users must enter into recoveryOS
by holding the power button (so that malware can’t trigger the signal, only a human with physical access can) to make the change. Because of this, an Apple-silicon based Mac also won’t require (or support) a firmware password—all critical changes are already gated by user authorization.

And in the case of FileVault, turn it on, as that will act as a firmware password. The M processors encrypt everything, and FileVault enforces that startup/decryption only begins when a password is provided.

 

[iphonefreak450]

FileVault is On.

And where can I find the option Allowed Boot Media?
How can I be sure it’s disabled?

I went to the Apple Support knowledge base article below, but does not say anything about Allowed Boot Media options settings.

Change security settings on the startup disk of a Mac with Apple silicon

On a Mac with Apple silicon, use the Startup Security Utility to change the level of security used on your startup disk.

support.apple.com

 

[Alpha Centauri]

Where is this screenshot from?

 

[kitKAC]

FileVault is On.

And where can I find the option Allowed Boot Media?
How can I be sure it’s disabled?

I went to the Apple Support knowledge base article below, but does not say anything about Allowed Boot Media options settings.

Change security settings on the startup disk of a Mac with Apple silicon

On a Mac with Apple silicon, use the Startup Security Utility to change the level of security used on your startup disk.

support.apple.com

View attachment 2086270

There aren't any options for Allowed Boot Media, the screenshot in your first post shows that. Startup Security Utility offers different options on Intel and Apple Silicon Macs.

 

[Alpha Centauri]

There aren't any options for Allowed Boot Media, the screenshot in your first post shows that. Startup Security Utility offers different options on Intel and Apple Silicon Macs.

Yep, that's where I was going with this and why I asked where the screenshot came from. It mentions T2 so Intel only, not sure why the OP keeps drifting back to those. As per screenshot on post 1#, those are the options OP.

 

[iphonefreak450]

On the image from my first post those are the options I see for Apple Silicon.

But no option for Allowed Boot Media.

So how can I be sure that boot from media is disabled?

I need it to be disabled.

 

[maflynn]

So how can I be sure that boot from media is disabled?

The easiest method I suppose it so to try to it

 

[chrfr]

On the image from my first post those are the options I see for Apple Silicon.

But no option for Allowed Boot Media.

So how can I be sure that boot from media is disabled?

I need it to be disabled.

You can’t. That’s a feature of Intel Macs that have the T2 in them.

 

[kitKAC]

The question is, @iphonefreak450 - why do you need it disabled? What’s the worry?

 

[iphonefreak450]

Because booting from an unknown boot device media is a vector to install malware. That’s my concern.

But anyways, my MacBook is always with me and I’m the only one using it and it’s not in a public environment.

As for the firmware password, as you all mentioned, uses the account password with FileVault turned on. So this is great because less passwords to remember.

 

[NoBoMac]

Allowed Boot Media is for Intels.

On Apple Silicon Macs, no such thing due to a lot of things, but boils down to the OS needs to be signed and tied to the CPU it's booting off of. So all you need to do is keep the "Full Security Mode" switch on.

Startup Disk security policy control for a Mac with Apple silicon

To set security policy on a Mac with Apple silicon, Startup Disk has replaced Startup Security Utility.

support.apple.com

 

[xraydoc]

Because booting from an unknown boot device media is a vector to install malware. That’s my concern.

Can't install malware if the boot drive is encrypted. Which it is until your password gets entered. So you're good.

 

[Yebubbleman]

As you can see from the image, I don’t see any Set Firmware Password option.

How can I set one?

Since I have a MBP M1, the option to set a firmware password will not appear in the Startup Security Utility and therefore it is secured by FileVault encryption which I have turned On?

Just to confirm, that for M1s, there is no need to set a firmware password?

You cannot set a firmware password on an Apple Silicon Mac. That includes any Mac with an M1, M1 Pro, M1 Max, M1 Ultra, M2, and any other M-series Mac yet to be released by Apple. The feature does not exist. Incidentally, the only real protections it offered were protecting you from booting from alternative boot modes, most of which don't exist on Apple Silicon Macs anymore.

You can only set a firmware password on an Intel-based Mac or an Intel-based Mac with the T2 Security chip.

FileVault is On.

And where can I find the option Allowed Boot Media?
How can I be sure it’s disabled?

I went to the Apple Support knowledge base article below, but does not say anything about Allowed Boot Media options settings.

Change security settings on the startup disk of a Mac with Apple silicon

On a Mac with Apple silicon, use the Startup Security Utility to change the level of security used on your startup disk.

support.apple.com

View attachment 2086270

The setting to control "Allowed Boot Media" only exists on Intel-based Macs that have the T2 Security Chip. The only Intel-based Macs that have the T2 Security Chip are:

- iMac Pro (2017)
- MacBook Pro (15-inch, 2018 and 2019)
- MacBook Pro (13-inch, 2018-2020, excluding M1 model)
- MacBook Pro (16-inch, 2019)
- iMac (27-inch, 2020)
- Mac mini (2018)
- Mac Pro (2019)
- MacBook Air (2018-2020, excluding M1 model)

Because booting from an unknown boot device media is a vector to install malware. That’s my concern.

You are aware that this is not an x86-64 computer and rather not only an arm64 computer, but one with a heavily customized firmware and bootloader the details of which are still being painstakingly reverse-engineered, right? Good luck finding external boot media not containing macOS Big Sur or newer that can even run on an Apple Silicon Mac.

But anyways, my MacBook is always with me and I’m the only one using it and it’s not in a public environment.

So, why the concern then?

As for the firmware password, as you all mentioned, uses the account password with FileVault turned on. So this is great because less passwords to remember.

I think you might want to brush up on your macOS Security knowledge so that you understand what these things are and what protections they actually offer to you.

Allowed Boot Media is for Intels.

Specifically Intels with the T2.