Notes from System Extensions and DriverKit (Tuesday, June 4th at 10:00 AM)

Kernel extensions

Problems:



Difficult to develop and debug

Stability problems for system

Security problems for system



Introducing System Extensions and DriverKit



New as of Catalina

Similar to kext, but runs in user space; outside the kernel.



Network extensions

Endpoint Security extensions

- Replacement for Kauth event monitoring

Driver extensions

- Control hardware devices

- Uses DriverKit, which replaces IOKit



Deprecating kernel extensions:



macOS Catalina will be the last OS version to run kernel extensions without compromise.

Installing third party kernel extensions on macOS Catalina now requires that you restart your Mac before they’re permitted to load.

As System Extensions and DriverKit adds functionality, kernel extensions with matching functionality will not load.



System Extensions

- Always part of the app

- No such thing as a "standalone system extension"

- Distribute via the MAS or Developer ID (MAS deployment not previously possible with kernel extensions.)



Sign System Extension with a Developer ID or MAS certificate

- Developer ID for Kernel Extensions certificate is no longer required.

System Extension with a Developer ID must be notarized



Installation

- No installer or package is necessary, System Extension is inside the app bundle.

Use the new System



Extension lifecycle is managed by the system

System Extension will be stopped and started as needed.



Uninstallation



Moving app to the trash deactivates all of its extensions. No special uninstall process is needed.

Up vote post of rtrouton Down vote post of rtrouton
4.7k views
Posted by
rtrouton
Reply
Add a Comment

Replies

How is the extension activated? Does the user have to manually open the app, or is there a method using MDM or other management tools?

Posted by
grahamgilbert
Up vote reply of grahamgilbert Down vote reply of grahamgilbert
Add a Comment

They did mention that the API allows your app to call for the extension to be activated "whenever it wants". They suggest a check at every launch of the app, but also suggested you might want to wait until after a user agrees to something, or makes an in-app purchase. They did not say if there was a way to register without a user launching an app.

CTK extensions ran into this issue already, and Apple did eventually provide a way that you could register the extension /for the system/ without a user needing to launch an app. (Done using sudo -u _securityagent /Applications/HostApp.app/Contents/MacOS/HostApp. Hard to login with a smart card if you have to be logged in to register the extension!) I don't know if that will be supported for these extensions though.

Posted by
dshoit
Up vote reply of dshoit Down vote reply of dshoit
Add a Comment

Thanks, this is well and good.


How can I find docs for how to create those extension(s) using DriverKit template?

How do we create a command line or an App and plumb the code to interface with the dext


-prokash

Posted by
prokash
Up vote reply of prokash Down vote reply of prokash
Add a Comment

What happens if an app is deleted using the shell with rm, instead of moving it to the trash?

Posted by
sfDemon
Up vote reply of sfDemon Down vote reply of sfDemon
Add a Comment
How to load com.apple.DriverKit-AppleUSBFTDI.dext extension?
Posted by
LynnRommer
Up vote reply of LynnRommer Down vote reply of LynnRommer
Add a Comment