How can the average user easily validate the integrity of their Mac's firmware?
Before you downvote this question or lecture me on how I am paranoid and no one should ever need to do that, please read below.
In July 2015, CVE-2015-3692 revealed that a Mac's EFI firmware could be hacked by a remote attacker. (The vectors available for this are in other CVEs, but could hypothetically be anything, including things like malicious fake Flash update installers.)
This vulnerability was made public at least four weeks before Apple patched it on July 30 for OS X 10.8, 10.9, and 10.10 with EFI Firmware Security Update 2015-001.
The same security researcher who announced this vulnerability also claims to have seen a demonstration at a conference of a firmware hack that cannot be removed or overwritten.
Therefore, once a Mac's EFI has been owned, if the attacker did it right, then the only way to reflash the EFI with valid Apple firmware would be to wire up a reflasher directly to the EFI chip on the logic board itself (do not try this at home).
News articles that reported this vulnerability downplayed it, saying that most users should not worry, and all you need to do in order to protect yourself is never let your Mac go into sleep mode, and either disable the root user, or never authenticate anything you do not 100% trust. Comment threads on those articles summed it up like this: if all your apps come from trusted sources like the official App Store, and you never run anything that's not code-signed by developer known to Apple, then you should have nothing to worry about.
But then in September 2015 we learned about the XCodeGhost exploit, which is known to have resulted in numerous malware-infected apps showing up on the official iOS App Store—but what about OS X apps? In the linked article, Malwarebytes wrote:
Wardle pointed out back in March that Xcode was vulnerable to this
sort of thing, but frighteningly, also pointed the finger at many
other OS X apps. Any of those apps could be vulnerable to similar
attacks.
They also wrote, "the average user should not panic"—the same mantra that I often see parrotted on the Apple support forums and elsewhere anytime a user posts a thread about tons of weird problems they are having. "Just reformat your drive and perform a clean install of the system. The problem is likely a third-party system modification," we are told. When that doesn't fix it, people are told it must be a hardware problem, like a failing HDD, failing GPU, or bad RAM. I've seen threads where people replaced literally every component in their Mac, and the problem would always come back.
Now we know it's hypothetically possible that users' EFI firmware got hacked—so even if their motherboard was replaced, when they'd reinstall their apps, the firmware could just get reflashed again by the malware! And if the motherboard was not replaced, then they'd be hosed no matter what.
That brings me back to the main question.
How can the average user easily validate the integrity of their Mac's firmware? I.e. how can you check to make sure your Mac's firmware has never been compromised by malware? I could not find any method compatible with El Capitan that does not require disabling SIP. For prior OS versions, there is a complicated third-party tool called DarwinDumper that can dump your EFIs contents to a text file, but you still need to have the valid Apple firmware to compare it against—this is not a method that the average user is capable of doing.
Telling people not to worry about something they very well could be the victim of, and have no way to check if they are, is what enables these sorts of exploits to be profitable for hackers, who depend upon complacency and a lack of vigilance on the part of users.
==
EDIT: I found the latest official Apple firmware installer on Apple's support site. The installer doesn't run on 10.10 or 10.11, oddly. Using Pacifist I extracted the .scap file for my Macbook Pro 9,1. I compared the binary in HexFiend with the biosdump that I pulled using DarwinDump after rebooting into Recovery Mode and running csrutil disable on terminal to disable rootless and enable the ability to run unsigned kexts. I recovered this BIOS header:
$IBIOSI$ MBP91.88Z.00D3.B0B.1506081214Copyright (c) 2005-2015 Apple Inc. All rights reserved.ˇˇˆ´5µ}ñÚC¥î°Îé!¢é_i@Ÿ¯¡Apple ROM Version
BIOS ID: MBP91
Built by: root@saumon
Date: Mon Jun 8 12:14:35 PDT 2015
Revision: svn 39254 (B&I)
Buildcave ID: 6
ROM Version: 00D3_B0B
The official BIOS from Apple's header:
$IBIOSI$ MBP91.88Z.00D3.B0B.1506081214Copyright (c) 2005-2015 Apple Inc. All rights reserved.ˇˇˆ´5µ}ñÚC¥î°Îé!¢é_i@Ÿ¯¡Apple ROM Version
BIOS ID: MBP91
Built by: root@saumon
Date: Mon Jun 8 12:14:35 PDT 2015
Revision: svn 39254 (B&I)
Buildcave ID: 6
ROM Version: 00D3_B0B
Other than that the files are very different-looking, but I'm guessing the .scap file has some sort of compression. At least that tells me I had the latest firmware installed, the one that was released after the hacks were announced. I'm prolly good. Would be nice to be able to confirm I'm good through some kind of checksum verification however! Looking at you, Apple!
Best Answer
To check the firmware of an Intel UEFI system, such as a Mactel, boot Intel LUV (Linux UEFI Validation) distro, luv-live, run Intel CHIPSEC. It'll check for most of the publicly-known firmware vulnerabilities. You should run CHIPSEC when you first get your box, save the ROM, then occasionally re-run CHIPSEC and compare the ROMs for changes. You can use UEFItool, CHIPSEC, or UEFI-Firmware-Parser, or a handful of other tools to a forensic examination of the ROM.
For some more information about the topic and the tools involved, see my slides for a presentation I gave recently.