Post

Replies

Boosts

Views

Activity

Dext signing issue on Sequoia Beta
I am developing a PCIDriverKit dext, and testing on Sequoia Beta (Version 15.0 Beta, 24A5298h). Both the dext and the "owning" application build on Xcode 16.0 beta 4. I can run the owning application and register the dext. When the OS attempts to load the dext, though, code signing validation errors occur: 2024-07-30 15:54:02.386 Df kernel[0:ae6a] Driver com.company.Dext-Loader.dext has crashed 0 time(s) 2024-07-30 15:54:02.386 Df kernel[0:ae6a] DK: Dext_Loader_Driver-0x100001464 waiting for server com.company.Dext-Loader.dext-100001464 2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Found 1 dexts with bundle identifier com.company.Dext-Loader.dext 2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Using unique id a0cf49ca3ea45f5d54a3e8644e2dde6b0e8666c649c1e9513ca4166919038b53 to pick dext matching bundle identifier com.company.Dext-Loader.dext 2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Picked matching dext for bundle identifier com.company.Dext-Loader.dext: Dext com.company.Dext-Loader.dext v34 in executable dext bundle com.company.Dext-Loader.dext at /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext 2024-07-30 15:54:02.389 I kernel[0:ae71] igmp_domifreattach: reattached igmp_ifinfo for ifp XHC 2024-07-30 15:54:02.389 I kernel[0:ae71] mld_domifreattach: reattached mld_ifinfo for ifp XHC2 2024-07-30 15:54:02.389 Df kernelmanagerd[112:abb5] DextRecordTable read from plist: { com.company.Dext-Loader.dext: MRS-> Optional(( path: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext; state: loaded )) history-> [ ( path: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext; state: loaded ) ] } 2024-07-30 15:54:02.389 Df kernelmanagerd[112:abb5] Launching dext com.company.Dext-Loader.dext com.company.Dext-Loader.dext 0x100001464 a0cf49ca3ea45f5d54a3e8644e2dde6b0e8666c649c1e9513ca4166919038b53 2024-07-30 15:54:02.390 I kernelmanagerd[112:abb5] [com.apple.km:DextLaunch] Skipping addBreadcrumbForDextWithIdentifier for <private> 0 2024-07-30 15:54:02.389 Df kernel[0:ae71] ifnet_attach: Waiting for all kernel threads created for interface XHC2 to get scheduled at least once. 2024-07-30 15:54:02.389 Df kernel[0:ae71] ifnet_attach: All kernel threads created for interface XHC2 have been scheduled at least once. Proceeding. 2024-07-30 15:54:02.390 Df kernelmanagerd[112:abb5] Launching driver extension: Dext com.company.Dext-Loader.dext v34 in executable dext bundle com.company.Dext-Loader.dext at /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext 2024-07-30 15:54:02.479 E kernel[0:a9fb] (Sandbox) 1 duplicate report for Sandbox: imagent(633) deny(1) mach-lookup com.apple.contactsd.persistence 2024-07-30 15:54:02.479 E kernel[0:a9fb] (Sandbox) Sandbox: taskgated-helper(2985) deny(1) user-preference-read kCFPreferencesAnyApplication 2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: code signature validation failed. 2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: bailing out because of restricted entitlements. 2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: When validating /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: 2024-07-30 15:54:02.483 Df kernel[0:ae73] mac_vnode_check_signature: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext: code signature validation failed fatally: When validating /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: 2024-07-30 15:54:02.483 Df kernel[0:ae73] validation of code signature failed through MACF policy: 1 2024-07-30 15:54:02.483 Df kernel[0:ae73] check_signature[pid: 2984]: error = 1 2024-07-30 15:54:02.483 Df kernel[0:ae73] proc 2984: load code signature error 4 for file "com.company.Dext-Loader.dext" 2024-07-30 15:54:02.485 Df kernelmanagerd[112:abb5] [com.apple.libxpc.OSLaunchdJob:all] <OSLaunchdJob | handle=46B92B57-A90A-4EBD-8EF4-54313C6EE332>: submitAndStart completed, info=spawn failed, error=162: Codesigning issue 2024-07-30 15:54:02.483 Df kernel[0:ae73] (Sandbox) /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext[2984] ==> com.apple.dext 2024-07-30 15:54:02.485 E kernelmanagerd[112:abb5] [com.apple.libxpc.OSLaunchdJob:all] <OSLaunchdJob | handle=46B92B57-A90A-4EBD-8EF4-54313C6EE332>: job failed to spawn, plist={ ProcessType => Driver _ManagedBy => com.apple.kernelmanagerd CFBundleIdentifier => com.company.Dext-Loader.dext _JetsamPropertiesIdentifier => com.company.Dext-Loader.dext LimitLoadToSessionType => System _DextCheckInPort => <mach send right: 0xbd486ccc0> { name = 15679, right = send, urefs = 2 } UserName => _driverkit _NullBootstrapPort => true ReslideSharedCache => false LaunchOnlyOnce => true Label => com.company.Dext-Loader.dext-0x100001464 RunAtLoad => true ProgramArguments => [<capacity = 8> 0: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext 1: com.company.Dext-Loader.dext 2: 0x100001464 3: com.company.Dext-Loader.dext ] SandboxProfile => com.apple.dext } The Xcode project uses these signing options: Automatically manage signing Team: Company Provisioning Profile: Xcode Managed Profile Signing Certificate: Apple Development: () The same project, with the same signing options, builds and loads its dext without issues from Xcode 15.3 on Sonoma 14.5. That same dext binary from Xcode 15.3 loads and passes the signature checks on Sequoia, but using Xcode on Sequoia is when the signature validation fails. Can anyone suggest a way to resolve these signature validation errors? (Other than just developing on Sonoma and testing on Sequoia?)
0
0
374
Aug ’24
How to Symbolicate an Apple Silicon Panic?
Investigating a kernel panic, I discovered that Apple Silicon Panic traces are not working with how I know to symbolicate the panic information. I have not found proper documentation that corrects this situation. Attached file is an indentity-removed panic, received from causing an intentional panic (dereferencing nullptr), so that I know what functions to expect in the call stack. This is cut-and-pasted from the "Report To Apple" dialog that appears after the reboot: panic_1_4_21_b.txt To start, I download and install the matching KDK (in this case KDK_14.6.1_23G93.kdk), identified from this line: OS version: 23G93 Kernel version: Darwin Kernel Version 23.6.0: Mon Jul 29 21:14:04 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T8122 Then start lldb from Terminal, using this command: bash_prompt % lldb -arch arm64e /Library/Developer/KDKs/KDK_14.6.1_23G93.kdk/System/Library/Kernels/kernel.release.t8122 Next I load the remaining scripts per the instructions from lldb: (lldb) settings set target.load-script-from-symbol-file true I need to know what address to load my kext symbols to, which I read from this line of the panic log, after the @ symbol: com.company.product(1.4.21d119)[92BABD94-80A4-3F6D-857A-3240E4DA8009]@0xfffffe001203bfd0->0xfffffe00120533ab I am using a debug build of my kext, so the DWARF symbols are part of the binary. I use this line to load the symbols into the lldb session: (lldb) addkext -F /Library/Extensions/KextName.kext/Contents/MacOS/KextName 0xfffffe001203bfd0 And now I should be able to use lldb image lookup to identify pointers on the stack that land within my kext. For example, the current PC at the moment of the crash lands within the kext (expected, because it was intentional): (lldb) image lookup -a 0xfffffe001203fe10 Which gives the following incorrect result: Address: KextName[0x0000000000003e40] (KextName.__TEXT.__cstring + 14456) Summary: "ffer has %d retains\n" That's not even a program instruction - that's within a cstring. No, that cstring isn't involved in anything pertaining to the intentional panic I am expecting to see. Can someone please explain what I'm doing wrong and provide instructions that will give symbol information from a panic trace on an Apple Silicon Mac? Disclaimers: Yes I know IOPCIFamily is deprecated, I am in process of transitioning to DriverKit Dext from IOKit kext. Until then I must maintain the kext. Terminal command "atos" provides similar incorrect results, and seems to not work with debug-built-binaries (only dSYM files) Yes this is an intentional panic so that I can verify the symbolicate process before I move on to investigating an unexpected panic I have set nvram boot-args to include keepsyms=1 I have tried (lldb) command script import lldb.macosx but get a result of error: no images in crash log (after the nvram settings)
4
0
625
Aug ’24
How to enable PCIDriverKit Bus Leader? (and Memory Space enable?)
I am porting a working kernel extension IOKit driver to a DriverKit system extension. Our device is a PCI device accessed through Thunderbolt. The change from IOPCIFamily to PCIDriverKit has some differences in approach, though. Namely, in IOKit / IOPCIFamily, this was the correct way to become Bus Leader: mPCIDevice->setBusLeadEnable(true); // setBusMasterEnable(..) deprecated in OS 12.4 but now, PCIDriverKit's IOPCIDevice does not have that function. Instead I am doing the following: // Set Bus Leader and Memory Space enable uint16_t commandRegister = 0; ivars->mPCIDevice->ConfigurationRead16(kIOPCIConfigurationOffsetCommand, &commandRegister); commandRegister |= (kIOPCICommandBusLead | kIOPCICommandMemorySpace); ivars->mPCIDevice->ConfigurationWrite16(kIOPCIConfigurationOffsetCommand, commandRegister); But I am not convinced this is working (I am still experiencing unexpected errors when attempting to DMA from our device, using the same steps that work for the kernel extension). The only hint I can find in the online documentation is here, which reads: Note The endpoint driver is responsible for enabling the Memory Space Enable and Bus Master Enable settings each time it configures the PCI device. When a crash occurs, or when the system unloads your driver, the system disables these features. ...but that does not state directly how to enable bus leader status. What is the "PCIDriverKit approved" way to become bus leader? Is there a way to verify/confirm that a device is bus leader? (This would be helpful to prove that bus leadership is not the issue for DMA errors, as well as to confirm that bus leadership was granted). Thanks in advance!
1
0
213
Sep ’24
"How to" for dext distribution
I have a DriverKit system extension (dext) that uses PCIDriverKit. I would like to get the build environment straightened out to successfully distribute the dext and associated software to end users. There are three types of software involved: The Dext-hosting application - this is the application that must be installed to /Applications/, and will perform the registration of the dext. The dext is deployed "within" this application, and can be found in the /Contents/Library/SystemExtensions folder of the app bundle. The dext itself - this is the actual binary system extension, which will be registered by its owning application, and will operate in its own application space independent of the hosting application. Additional applications that communicate with the dext - these are applications which will connect to the dext through user clients, but these applications do not contain the dext themselves. There are multiple locations where settings need to be exactly correct for each type of software to be signed, provisioned, and notarized properly in order to be distributed to users: developer.apple.com - where "identifiers" and "provisioning profiles" are managed. Note that there are differences in access between "Team Agent", "Admin", and "Developer" at this site. Xcode project's Target "Signing & Capabilities" tab - this is where "automatically manage signing" can be selected, as well as team selection, provisioning profile selection, and capabilities can be modified. Xcode project's Target "Build Settings" tab - this is where code signing identity, code signing development team, code signing entitlements file selection, Info.plist options and file selection, and provisioning profile selection. Xcode's Organizer window, which is where you manage archives and select for distribution. In this case, I am interested in "Developer ID" Direct Distribution - I want the software signed with our company's credentials (Team Developer ID) so that users know they can trust the software. Choosing "automatically manage signing" does not work for deployment. The debug versions of software include DriverKit (development) capability (under App ID configuration at developer.apple.com), and this apparently must not be present in distributable provisioning. I believe this means that different provisioning needs to occur between debug and release builds? I have tried many iterations of selections at all the locations, for all three types of binaries, and rather than post everything that does not work, I am asking, "what is supposed to work?"
13
0
311
1w