On modern systems all KEXTs must be code signed with a Developer ID. Additionally, the Developer ID must be specifically enabled for KEXT development. You can learn more about that process on the Developer ID page.
If your KEXT is having code signing problems, check that it’s signed with a KEXT-enabled Developer ID. Do this by looking at the certificate used to sign the KEXT. First, extract the certificates from the signed KEXT:
% codesign -d --extract-certificates MyKEXT.kext
Executable=/Users/quinn/Desktop/MyKEXT/build/Debug/MyKEXT.kext/Contents/MacOS/MyKEXT
This creates a bunch of certificates of the form codesignNNN, where NNN is a number in the range from 0 (the leaf) to N (the root). For example:
% ls -lh codesign*
-rw-r--r--+ 1 quinn staff 1.4K 20 Jul 10:23 codesign0
-rw-r--r--+ 1 quinn staff 1.0K 20 Jul 10:23 codesign1
-rw-r--r--+ 1 quinn staff 1.2K 20 Jul 10:23 codesign2
Next, rename each of those certificates to include the .cer extension:
% for i in codesign*; do mv $i $i.cer; done
Finally, look at the leaf certificate (codesign0.cer) to see if it has an extension with the OID 1.2.840.113635.100.6.1.18. The easiest way to view the certificate is to use Quick Look in Finder.
Note If you’re curious where these Apple-specific OIDs comes from, check out the documents on the Apple PKI page. In this specific case, look at section 4.11.3 Application and Kernel Extension Code Signing
Certificates of the Developer ID CPS.
If the certificate does have this extension, there’s some other problems with your KEXT’s code signing. In that case, feel free to create a new thread here on DevForums with your details.
If the certificate does not have this extension, there are two possible causes:
Xcode might be using an out-of-date signing certificate. Re-create your Developer ID signing certificate using the developer site and see if the extension shows up there. If so, you’ll have to investigate why Xcode is not using the most up-to-date signing certificate.
If a freshly-created Developer ID signing certificate does not have this extension, you need to apply to get your Developer ID enabled for KEXT development per the instructions on the Developer ID page.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Change history:
20 Jul 2016 — First published.
28 Mar 2019 — Added a link to the Apple PKI site. Other, minor changes.
15 Mar 2022 — Fixed the formatting. Updated the section number in the Developer ID CPS. Made other minor editorial changes.
Kernel
RSS for tagDevelop kernel-resident device drivers and kernel extensions using Kernel.
Posts under Kernel tag
46 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
This is the bug: https://forums.developer.apple.com/forums/thread/729348?answerId=780151022#780151022
[quote='780151022, LostButFound, /thread/729348?answerId=780151022#780151022, /profile/LostButFound']
This issue still happens for me. With and without VPN, with both OpenVPN and Wireguard. With and without filtering (mostly with filters though, both LuLu and Little Snitch). On two different machines, M1 and M3. It's random.
If I have to bet, there's a deadlock caused by running x86 code on Arm hardware. As a software engineer I saw cases where Intel tolerates bad multI-threading more than Arm.
Are the Apple devs working on this? This is a very serious issue that makes these very expensive laptop unusable!
At least provide a way to reset the network stack!
0 comments
[/quote]
It seems that the Network Extension Framework has a bug where combining VPN and Network filters causes deadlocks and timeouts in networking on irregular basis, regardless of the network interface used. This issue happens at a lower level than network interfaces. It can be either a Network Extension Framework bug or a kernel module bug. Given that the network extension frame isn't open source, I can't even debug it, which I would've happily done. Yes, even though I'm not an apple developer, but this bug is so bad that I'm happy to build MacOS components in debug mode and attach a debugger on them when the issue happens... but it's not open source.
So, we have a bug, and we need help from apple devs to fix it... what am I supposed to do? Is there a chance I can get a dev to contact me to debug this together?
What are my options?
How can an app obtain the valid range for setting thread_time_constraint_policy_data_t for thread_policy_set()?
On android there is a way for my app to know when the device has been restarted or powered up after a restart or powering off. I wonder if there is a way to listen for the restart/power up even on the iphone and the Apple Watch?
How do I download a folder from opensource.apple.com without going inside recursively and downloading individual files?
e.g. one from here: "https://opensource.apple.com/source/Libm/"
PS. no idea what's the proper tag for this post, and as forum insists on having a non-empty tag field I'm using "Foundation" arbitrarily.
I have an exception handling frame for an Xcode application in macOS, which contains Cpp and Swift code. I am using the Unix signals frame for handling exceptions using sigaction. My sigaction signal handler get invoked when there is a swift or Cpp exception. However for some exceptions like SIGSEGV, the signal handler gets called repeatedly. To handle this I am using the SA_RESETHAND flag so that the handler gets invoked only once, and then the default action for the signal take over to terminate the process.
This approach works well when an exception occurs due to Cpp code, however when it occurs due to Swift code, the signal handler still gets invoked repeatedly. Can someone explain why is this happening and What is the solution to this?
I'm finding a way to hook vnode operations, following is a snippet of the code:
IOReturn
FltIOKitKAuthVnodeGate::RegisterVnodeScopeCallback(void)
{
//
// register our listener
//
this->VnodeListener = kauth_listen_scope( KAUTH_SCOPE_VNODE, // for the vnode scope
FltIOKitKAuthVnodeGate::VnodeAuthorizeCallback, // using this callback
this ); // give a cookie to callback
if( NULL == this->VnodeListener ){
DBG_PRINT_ERROR( ( "kauth_listen_scope failed\n" ) );
return kIOReturnInternalError;
}
return kIOReturnSuccess;
}
Here use kauth_listen_scope to get the newly created vnode object, then will hook on it.
But now kauth_listen_scope is deprecated, and there is no way to get the vnode by using EndpointSecurity.
So is there any other way to get the newly created vnode object?
I wanted to perform handling for the exception in my mac and ios application, I am following this link, where it is suggested to follow either the mach exception handling or use Unix signals. I did not find many resources that could be followed to implement mach exception as suggested. Below are the few resources I could find. Can someone point to the some documentation that apple provides for this or some other helpful documentation.
https://gist.github.com/rodionovd/01fff61927a665d78ecf
I am trying to sync the ntp time from the server using Kronos library.
However, I believe the code is not fully protected from multithreading access since it is using low level system code.
So, does anyone know how can I ensure sysctl and gettimeofday are thread-safe when calling them? Or, is there any thread-safe alternative to get the same result?
func currentTime() -> TimeInterval {
var current = timeval()
let systemTimeError = gettimeofday(&current, nil) != 0
assert(!systemTimeError, "system clock error: system time unavailable")
return Double(current.tv_sec) + Double(current.tv_usec) / 1_000_000
}
static func systemUptime() -> TimeInterval {
var mib = [CTL_KERN, KERN_BOOTTIME]
var size = MemoryLayout<timeval>.stride
var bootTime = timeval()
let bootTimeError = sysctl(&mib, u_int(mib.count), &bootTime, &size, nil, 0) != 0
assert(!bootTimeError, "system clock error: kernel boot time unavailable")
let now = currentTime()
let uptime = Double(bootTime.tv_sec) + Double(bootTime.tv_usec) / 1_000_000
assert(now >= uptime, "inconsistent clock state: system time precedes boot time")
return now - uptime
}
I have thought of using NSLock but I can only protect from the getter (caller) not the setter (system)
I'm currently trying to develop a transparent data encryption(TDE) system on MacOS 12.6.8. Our company has its own file encryption format. In order to facilitate safe and convenient file transfer between Windows and Mac platforms, we need to develop a TDE system on the Mac platform (on the Windows platform, we have developed such a system based on the Minifilter framework).
I tried to implement this system using a MacFuse based file system and the Endpoint Security system extension, but found that this did not allow complete control of files on the Mac system. For example, when you use Finder to copy an encrypted file, the decrypted data will be copied out. I'm guessing this might be due to Finder or some other system process cache.
By referring to the current product introductions of other companies, I learned that the current TDE systems on Mac systems are all based on kernel extension. But I noticed that Apple no longer encourages kernel extension development, and the Mac kernel has fewer and fewer APIs open to development.
So I would like to ask is it still feasible to develop a TDE system based on the kernel extension?
Hey everyone,
I'm currently working on developing a kernel extension (kext) for the custom file system on macOS.
I opted for a kernel extension due to its potential for higher performance compared to using FileProvider. However, during development, I've noticed a significant performance bottleneck related to synchronous I/O operations within the VFS subsystem.
It appears that all I/O operations in the macOS kernel, such as vnop_read/vnop_write (sock_receive/sock_send), are executed synchronously. (https://forums.swift.org/t/task-safe-way-to-write-a-file-asynchronously/54639/7)
For example, the Linux kernel supports asynchronous I/O operations, which utilize struct file_operations.read_iter/write_iter.
This discrepancy in implementation leads to a considerable performance gap, with macOS performing approximately 8-15 times slower than Linux implementation.
Given this performance difference, I'm reaching out to seek advice and insights from the community.
Are there any known strategies or best practices for improving the performance of kernel extensions related to file systems on macOS?
Any guidance or suggestions on how to optimize the performance of file system operations on macOS kext would be greatly appreciated. Thank you in advance for your assistance!
Hello,
How can I get the boot args in C++ or Objective-C on macOS without launching the nvram command tool? Take -arm64e_preview_abi for example. How can I check if it exists and if it's effective now or a reboot is needed for it to take effect. Thanks!
Am I calling this right?
host_priv_t hostPriv = 0;
int err = host_get_host_priv_port(mach_host_self(), &hostPriv);
err = host_processors(hostPriv, &processorList, &processorCount);
host_get_host_priv_port above returns 4 "(os/kern) invalid argument".
Tried with App Sandbox enabled and disabled.
I have some c code that returns memory usage of a current task on my machine and recently redacted it to use the proc_getallinfio struct so I can instead retrieve systemwide memory usage. im calling that code in swift however im getting the error "Initializer 'init(_:)' requires that 'proc_taskallinfo' conform to 'BinaryInteger'" and im not sure what the appropriate field is to pass that works with proc_getallinfo struct. resident_size does not work in this context.
import IOKit
import Foundation
@_silgen_name("kernMem")
func kernMem(storeMemData: UnsafeMutablePointer <proc_taskallinfo>) -> kern_return_t
@main
struct MacStatAppApp: App {
@State public var printMemory: String = "" //dynamic state object to store data that will be passed to swiftUI
var body: some Scene {
WindowGroup {
ContentView(printMemory: $printMemory) //binding for printMemory to pass data to contentview
.onAppear {
var storeMemData = proc_taskallinfo() //define pointer
let result = kernMem(storeMemData: &storeMemData)
if result == KERN_SUCCESS {
let memoryUsage = Double(storeMemData) / (1024.0 * 1024.0 * 1024.0) //conversion for GB, 1024 to the power of 3
print(String(format: "memory usage: %.2f GB", memoryUsage))
} else {
print("failed to obtain memory usage data:\(result)")
}
}
}
}
}
I have a 14 inch 2021 macbook pro, 32gb, running Sonoma 14.2.1.
After 20-30 days of uptime, kernel_task starts to use about 100-250% cpu. On my last reboot, kernel_task had used 100 hours of cpu time with less than 30 days of uptime, suggesting an average usage of 13.9% cpu average for the entire 30 day period.
Looking on the forums, I see others complaining about high kernel_task cpu usage related to thermals or external monitor usage. I do use an external monitor, however in my case I see no correlation between either temperature or monitor usage and the kernel_task cpu spike. Running the fan in full blast with Mac Fan Control does nothing, and neither does unplugging the external monitor. I also tried switching the usb-c cable to the right side as has been suggested, no success.
I've also seen many threads where apple simply responds to reboot and see if the problem persists. For me a reboot "fixes" the problem, but it always comes back 20-30 days later, so this is not a fix. I'm fairly certain this is a kernel bug that apple needs to fix instead of just telling people to reboot more often...
I have a virtual device, which is redirected to Mac from Windows OS. However, In MacOS, it does not recognized as a HID device even it has only one HID interface.
The device name is Virtual Fido, it more likes to be identified as an audio device. Could any one help check? Thanks.
2024-01-31 16:37:03.102014+0800 0x1df Error 0x0 0 0 kernel: (IOUSBFamily) AppleUSBLegacyRoot@(null): AppleUSBLegacyRoot::usbServiceCallback: controller <private> (S1F0) usbServiceArray <private>(count 1) options 0x00000000
2024-01-31 16:37:03.102020+0800 0x1df Error 0x0 0 0 kernel: (IOUSBFamily) AppleUSBLegacyRoot@(null): AppleUSBLegacyRoot::usbServiceCallback: [0] <private>
2024-01-31 16:37:03.102023+0800 0x1df Error 0x0 0 0 kernel: (IOUSBFamily) AppleUSBLegacyRoot@(null): AppleUSBLegacyRoot::usbServiceCall: controller <private> (S1F0) usbService <private> (Virtual FIDO) options 0x00000000
2024-01-31 16:37:03.102035+0800 0x1df Error 0x0 0 0 kernel: (IOUSBFamily) AppleUSBLegacyRoot@(null): AppleUSBLegacyRoot::getOrCreateLegacyControllerGated: located existing AppleUSBController@00000000
2024-01-31 16:37:03.102037+0800 0x1df Error 0x0 0 0 kernel: (IOUSBFamily) AppleUSBLegacyRoot@(null): AppleUSBLegacyRoot::usbServiceCallGated: IOUSBHostDevice <private> (Virtual FIDO)
2024-01-31 16:37:03.102046+0800 0x1df Error 0x0 0 0 kernel: (IOUSBFamily) AppleUSBLegacyRoot@(null): AppleUSBLegacyRoot::addDeviceToUsbPlane:
2024-01-31 16:37:03.102288+0800 0x1df Error 0x0 0 0 kernel: (IOUSBFamily) AppleUSBLegacyRoot@(null): AppleUSBLegacyRoot::usbServiceCall: usbServiceCallbackGated completed with 0x00000000 and service <private>
2024-01-31 16:37:03.102302+0800 0x1df Error 0x0 0 0 kernel: (IOUSBFamily) AppleUSBLegacyRoot@(null): AppleUSBLegacyRoot::usbServiceCall: registering Virtual FIDO@00810000 (<private>) for matching
2024-01-31 16:37:03.104499+0800 0x247c Info 0x0 120 0 kernelmanagerd: Received MIG message
2024-01-31 16:37:03.105412+0800 0x247c Info 0x0 120 0 kernelmanagerd: Received MIG message
2024-01-31 16:37:03.105453+0800 0x284b Default 0x0 120 0 kernelmanagerd: Received kext load notification: com.apple.iokit.IOAudioFamily
2024-01-31 16:37:03.105460+0800 0x284b Default 0x0 120 0 kernelmanagerd: Received kext load notification: com.apple.driver.AppleUSBAudio
2024-01-31 16:37:03.106066+0800 0x11d6 Default 0x0 643 0 icdd: [com.apple.imagecapture:icdd] Device DB | Creating local devices
2024-01-31 16:37:03.106170+0800 0x512 Info 0x0 244 0 com.apple.ifdreader: [com.apple.CryptoTokenKit:smartcard] new device skipped: 0x0e0f/0x0123 810000 (entryId=4294969016)
2024-01-31 16:37:03.106551+0800 0x11d6 Default 0x0 0 0 kernel: (Sandbox) Sandbox: icdd(643) allow file-read-data /Library/Image Capture/Devices
2024-01-31 16:37:03.106602+0800 0x11d6 Default 0x0 643 0 icdd: [com.apple.imagecapture:icdd] Device DB | Creating bonjour devices
2024-01-31 16:37:03.106968+0800 0x11d6 Default 0x0 643 0 icdd: [com.apple.imagecapture:icdd] => [Matching] | [ 0x00,0x00,0x00 ]
2024-01-31 16:37:03.106989+0800 0x11d6 Default 0x0 643 0 icdd: [com.apple.imagecapture:icdd] Added | 0x10000011 - [USB][ Virtual FIDO ] ( 0, 0, 0) @ 0x810000 |
2024-01-31 16:37:03.107041+0800 0x11d6 Default 0x0 643 0 icdd: [com.apple.imagecapture:icdd] Autolaunch | 00000000-0000-0000-0031-323334353637 => (null)
2024-01-31 16:37:03.335288+0800 0x276f Default 0x0 424 0 trustd: [com.apple.securityd:pinningQA] could not enable test hierarchy: no UAT pinning preferences set
| | | +-o VMware Virtual USB Hub@00800000 <class IOUSBHostDevice, id 0x1000003de, registered, matched, active, busy 0 (35 ms), retain 38>
| | | +-o AppleUSBHostLegacyClient <class AppleUSBHostLegacyClient, id 0x1000003e1, !registered, !matched, active, busy 0, retain 8>
| | | +-o AppleUSB20Hub@00800000 <class AppleUSB20Hub, id 0x1000003e4, registered, matched, active, busy 0 (33 ms), retain 35>
| | | | +-o AppleUSB20HubPort@00810000 <class AppleUSB20HubPort, id 0x1000003e7, registered, matched, active, busy 0 (33 ms), retain 16>
| | | | | +-o Virtual FIDO@00810000 <class IOUSBHostDevice, id 0x1000006b8, registered, matched, active, busy 0 (3 ms), retain 20>
| | | | | +-o AppleUSBHostLegacyClient <class AppleUSBHostLegacyClient, id 0x1000006bb, !registered, !matched, active, busy 0, retain 8>
| | | | | +-o AppleUSBHostCompositeDevice <class AppleUSBHostCompositeDevice, id 0x1000006bf, !registered, !matched, active, busy 0, retain 4>
| | | | +-o AppleUSB20HubPort@00820000 <class AppleUSB20HubPort, id 0x1000003e8, registered, matched, active, busy 0 (0 ms), retain 12>
| | | | +-o AppleUSB20HubPort@00830000 <class AppleUSB20HubPort, id 0x1000003e9, registered, matched, active, busy 0 (0 ms), retain 12>
It seems like the Kernel Debug Kit for macOS 14.2.1 (23C71) and macOS 14.3 GM (23D56) are both missing from the list of downloads at developer.apple.com. It would be great if you could add them to the list of available downloads.
When trying to e.g. use the macOS 14.2 (23C64) Kernel Debug Kit on macOS 14.2.1 (23C71) it fails with the following error message:
Error Domain=KMErrorDomain Code=34 "Missing Developer Kit: As of macOS 13.0, you will need to install a KDK matching your build 23C71 to rebuild kernel collections." UserInfo={NSLocalizedDescription=Missing Developer Kit: As of macOS 13.0, you will need to install a KDK matching your build 23C71 to rebuild kernel collections.}
Is there a workaround for this if e.g. the kernel was not substantially changed in minor releases?
What is the general procedure to release Kernel Development Kits?
It seems like they are not released at the same time as the macOS releases and not for every build. Would it be possible to ensure that a Kernel Development Kit is released alongside the next macOS release (probably 14.3) and onward?
I also filed a feedback at FB13555096.
Hello,
I'm trying to build XNU with KASAN support. However I get error:
clang: error: unsupported option '-fsanitize=kernel-hwaddress' for target 'arm64e-apple-darwin23.2.0'
If I try to compile a non-kernel C code with -fsanitize=hwaddress, I get the same target error.
But Apple ships HWASan kernels with KDK, which shows there is a clang which is capable of compiling hwasan code for arm64e.
How can we compile hwasan sanitized code ourselves? Is it a private toolchain or released somewhere?
I am trying to debug a kernel panic in our kext. I can attach to the target Mac over ethernet if I:
cause an NMI using
add an IOPanic call to my kext and cause it to be executed
use Dtrace to invoke a panic
However if I reproduce the kernel panic which I am investigating, the Mac just restarts.
How can I make the Mac wait for me to attach with lldb rather than restarting?
My target configuration is:
Mac is 2021 M1 Pro 14" MacBook Pro
macOS 14.2 (23C64)
Network: Apple Thunderbolt 3 <-> Thunderbolt 3 adapter + Apple Thunderbolt 2 to ethernet adapters
Boot-args = "debug=0x44 wdt=-1 kdp_match_name=en8" (I have also tried debug=0x104C0C)
I am using Xcode 15.2 Beta on macOS Sonoma 14.3 Beta with the macOS Sonoma 14.2 SDK. Similarly to post 702244, I am trying to build the same exact repository, partially for my own education. The issue I am running into is that one of the files references IOKit/hid/IOHIDDevice.h, which, in turn, references IOKit/IOReporter.h. Since both of these are searched for, with #include <…>, in a base path of Kernel.framework/Versions/A/Headers, it follows that there should at least be a file somewhere in that folder called IOReporter.h, but there is not. There isn't even a copy in IOKit.framework/Versions/A/Headers, although that folder has another version of hid/IOHIDDevice.h entirely, which does not reference a IOReporter.h file. Is the lack of an IOReporter.h file deliberate, accidental, or is the mere continued existence of a kernel-space IOKit IOHIDDevice.h, containing a deprecated kernel-space IOHIDDevice symbol, an accident; possibly a simple hold-over from a previous version? Is there a way to make this compile? Am I missing anything? Should it be assumed that deprecated kernel-mode APIs will simply not compile?
Given a pid_t, is there an efficient way to determine what child processes it has spawned?
I found proc_listchildpids() in <libproc.h>, but there is no documentation for it. (I've been able to figure out that the argument is an array of pid_t, but as far as I can tell there's no way to know up front how much space I should allocate.)
Somewhat related: given a pid_t, is there a way to get notified when that process spawns a child process, as well as when any child process exits? (I don't know in advance what processes will be created or when they'll terminate, so I can't keep track separately.) I know that DISPATCH_SOURCE_TYPE_PROC exists, and while that's in the general area, it looks like I'd have to do a fair amount of secondary bookkeeping to keep track.
Thanks for any advice. :-)