Pop-up "Firmware changes detected" randomly appear
This message just popped up on my Mac
- What could have caused this?
- I see the file eficheck.bin, how can I tell if my EFI firmware is OK?
- After sending this to Apple, what happens next?
Solution 1:
What could have caused this?
The macOS Sierra 10.12.5 beta (and the 10.12.4 beta before it) included an eficheck tool. This tool is designed to verify your EFI firmware by reading data from the Serial Peripheral Interface (SPI) flash and verifying its signature is valid (i.e. it hasn't been tampered with). Basically it's doing this to prevent system stability and security issues.
So, if you had installed either of these betas, that would explain what caused this. If you didn't install either of those betas, then I'm at a loss - except to say it's highly likely the eficheck tool will be included in the public release of macOS Sierra 10.12.5. I don't believe it was a part of the public release of mac OS Sierra 10.12.4.
Either way, you can check for it by entering the kextstat
command in Terminal and searching the output via the Find CommandF shortcut and searching for eficheck.kext (or part thereof).
I see the file eficheck.bin, how can I tell if my EFI firmware is OK?
Once again, I'm working on the assumption you had the beta installed. If so, I would not worry about it as many users reported seeing this even though their firmware was not modified etc.
After sending this to Apple, what happens next?
If you choose to send the relevant data to Apple, only the unexpected changes in your computer’s firmware and only general details of your computer (such as model) are collected and transmitted. In terms of what happens next, well, I'm not sure exactly what Apple will do with this data. Only time will tell.
More information was available at: https://support.apple.com/kb/HT207475 but it's since been removed (it was there as recently as three days ago). I include it here because I expect Apple will republish it after the release of macOS Sierra 10.12.5. If it's not I will either edit/delete it (as appropriate) from this answer.