Setting a firmware password prevents a Mac from starting up from any device other than the startup disk. It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. See how to Set a firmware password on your Mac for official documentation.
This feature can be helpful if your laptop is lost or stolen, protects against Direct Memory Access (DMA) attacks which can read your FileVault passwords and inject kernel modules such as pcileech, as the only way to reset the firmware password is through an Apple Store, or by using an SPI programmer, such as Bus Pirate or other flash IC programmer.
Start up pressing Command
and R
keys to boot to Recovery Mode mode.
When the Recovery window appears, choose Firmware Password Utility from the Utilities menu.
In the Firmware Utility window that appears, select Turn On Firmware Password.
Enter a new password, then enter the same password in the Verify field.
Select Set Password.
Select Quit Firmware Utility to close the Firmware Password Utility.
Select Restart or Shutdown from the Apple menu in the top-left corner.
The firmware password will activate at next boot. To validate the password, hold Alt
during boot - you should be prompted to enter the password.
firmwarepasswd [OPTION]
? Show usage
-h Show usage
-setpasswd Set a firmware password. You will be promted for passwords as needed.
NOTE: if this is the first password set, and no mode is
in place, the mode will automatically be set to "command"
-setmode [mode] [-allow-oroms] Set mode to:
"command" - password required to change boot disk
"full" - password required on all startups
-allow-oroms permits option roms execution
NOTE: cannot set a mode without having set a password
-mode Print out the current mode setting
-check Print out whether there is / isn't a firmware password is set
-delete Delete current firmware password and mode setting
-verify Verify current firmware password
-unlockseed Generate a firmware password recovery key
NOTE: Machine must be stable for this command to generate
a valid seed. No pending changes that need a restart.
NOTE: Seed is only valid until the next time a firmware password
command occurs.
-disable-reset-capability Disable firmware password reset using unlockseed
-enable-reset-capability Enable firmware password reset using unlockseed
NOTE: cannot enable or disable firmware password reset
without having set a password
The firmware password can also be managed with the firmwarepasswd utility while booted into the OS. For example, to prompt for the firmware password when attempting to boot from a different volume:
sudo firmwarepasswd -setpasswd -setmode command
$ sudo firmwarepasswd -verify
Verifying Firmware Password
Enter password:
Correct