How do I set DriverKit entitlements during development?

I'm trying to port an existing kext-based driver to DriverKit. My client has requested the relevant signing entitlements, but they haven't come through yet. Fortunately, the documentation says that we can develop and test DriverKit drivers without these entitlements if we disable SIP on the target machine. Right?


Quoting https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development?language=objc


> Note

> While waiting for Apple to grant your entitlement requests, you can continue to develop and test your drivers on your local systems. For information about how to disable the necessary security checks, see Debugging and Testing System Extensions."


That referenced page, https://developer.apple.com/documentation/driverkit/debugging_and_testing_system_extensions?language=objc then goes on to say I need to disable SIP on the target system, along with a command for disabling the /Applications/ directory requirement.


Well, I can't get it working. I've set up a Cocoa app, and embedded a DriverKit target within it. I'm signing the app using a Mac Developer certificate and an explicitly-created provisioning profile which has the system extension capability and which matches the app's bundle ID. I've wired up a button in the app to set up and submit a OSSystemExtensionRequest and implemented the delegate methods.


Configuring the entitlements and signing of the .dext bundle is where I'm having trouble:


  • If I don't set the com.apple.developer.driverkit entitlement, I can sign, build, and embed the dext, but submitting the system extension activation request fails with error code 9: "Invalid extension configuration in Info.plist and/or entitlements" (OSSystemExtensionErrorValidationFailed)
  • If I do set the com.apple.developer.driverkit entitlement, I cannot find any combination of settings with which Xcode will even allow me to kick off the build (names have been anonymised):
error: Automatic signing is unable to resolve an issue with the "DriverTarget" target's entitlements. Automatic signing can't add the com.apple.developer.driverkit entitlement to your provisioning profile. Switch to manual signing and resolve the issue by downloading a matching provisioning profile from the developer website. Alternatively, to continue using automatic signing, remove this entitlement from your entitlements file and its associated functionality from your code. (in target 'DriverTarget' from project 'DriverProject')
error: Provisioning profile "Mac Team Provisioning Profile: *" doesn't include the com.apple.developer.driverkit entitlement. (in target 'DriverTarget' from project 'DriverProject')


Both outcomes make logical sense:

  • The system extension mechanism needs to know what kind of extension this is in order to install/activate it, and that appears to be done via the entitlements embedded in the code signature.
  • You can't sign a binary with an entitlement for which your signing identity hasn't been whitelisted.


The conclusion would therefore be that you can't build and test a DriverKit driver without explicitly being given permission by Apple. However:


  1. That appears to contradict the documentation.
  2. It doesn't make much logical sense why DriverKit is more restricted than kext development. Anyone curious about writing kexts can just turn off SIP and go wild, but only the chosen ones are allowed to tinker with DriverKit, the API that Apple is trying to push on everyone.


So, have I missed something? What should I be doing to get this working?


Incidentally, eskimo1's suggestion of setting the boot-arg here https://forums.developer.apple.com/thread/125048#394539 does not appear to make any difference, which makes sense as it's not actually amfid which is causing the failure.


Full system log (### replacing non-public identifiers) for the relevant time frame:


2020-04-16 12:19:20.992008+0200 0x1ef9     Default     0x3930               680    0    USB Display Device: installDriverButtonPushed: Submitted extension activation request
2020-04-16 12:19:20.994555+0200 0x1b65     Activity    0x3035               621    0    sysextd: (Security) SecTrustEvaluateIfNecessary
2020-04-16 12:19:20.995952+0200 0x1ded     Default     0x3035               192    0    trustd: [com.apple.securityd:SecError] OCSPResponse: single response has extension(s).
2020-04-16 12:19:21.001309+0200 0x1b65     Default     0x3930               621    0    sysextd: attempting to realize extension with identifier ###
2020-04-16 12:19:21.002978+0200 0x1b65     Activity    0x3036               621    0    sysextd: (Security) SecTrustEvaluateIfNecessary
2020-04-16 12:19:21.004210+0200 0x1ded     Default     0x3036               192    0    trustd: [com.apple.securityd:SecError] OCSPResponse: single response has extension(s).
2020-04-16 12:19:21.007341+0200 0x1b65     Default     0x3930               621    0    sysextd: Realizing target path: 
2020-04-16 12:19:21.008133+0200 0x1b65     Default     0x3930               621    0    sysextd: Bundle class: UncachedBundle
2020-04-16 12:19:21.009911+0200 0x1b65     Activity    0x3037               621    0    sysextd: (Security) SecTrustEvaluateIfNecessary
2020-04-16 12:19:21.011170+0200 0x1ded     Default     0x3037               192    0    trustd: [com.apple.securityd:SecError] OCSPResponse: single response has extension(s).
2020-04-16 12:19:21.013814+0200 0x1b65     Default     0x3930               621    0    sysextd: System extension does not appear to belong to any extension categories
2020-04-16 12:19:21.014108+0200 0x1ef9     Default     0x3930               680    0    USB Display Device: request:didFailWithError: Error Domain=OSSystemExtensionErrorDomain Code=9 "Invalid extension configuration in Info.plist and/or entitlements" UserInfo={NSLocalizedDescription=Invalid extension configuration in Info.plist and/or entitlements}
2020-04-16 12:19:21.014235+0200 0x1ef9     Default     0x3930               680    0    USB Display Device: Error code: 9
Answered by ssmith_c in 417459022

Well said. I submitted a DTS question about this and DTS told me that the documentation wasn't wrong (I, like you, think it is), and that I need to wait for the entitlements. A few days later this was posted to the forum, which may help you (I haven't tried it yet)


https://forums.developer.apple.com/thread/131240


if it works for you, please check the "this helped me" box. Also, please file a bug report against the DriverKit documentation.

Accepted Answer

Well said. I submitted a DTS question about this and DTS told me that the documentation wasn't wrong (I, like you, think it is), and that I need to wait for the entitlements. A few days later this was posted to the forum, which may help you (I haven't tried it yet)


https://forums.developer.apple.com/thread/131240


if it works for you, please check the "this helped me" box. Also, please file a bug report against the DriverKit documentation.

How do I set DriverKit entitlements during development?
 
 
Q