28 Replies
      Latest reply on Feb 7, 2018 1:26 PM by wwvuillemot
      ncdeboni Level 1 Level 1 (0 points)

        High Sierra is blocking my kernel extension from loading.  (Security in System Preferences allows to unblock)

         

        Is this something new applying to all kernel extensions, or am I just doing something wrong?  This will look scary to my customers...

        • Re: High Sierra blocking kernel extensions?
          ncdeboni Level 1 Level 1 (0 points)

          I should have added: yes, my kext is properly signed (I think!!) such that El Capitan and Sierra are both happy with it.

            • Re: High Sierra blocking kernel extensions?
              GabeJones Level 1 Level 1 (10 points)

              I'm seeing the same thing.  Also, the whitelisting seems to be on a per-kext basis, not a per-developer basis, such that I have to do this for each of our drivers.  Not only will this be painful for our customers (they'll have to go to the Security preferences and click "Accept" for each driver in our install), but it will likely cause problems for our automated testing as well.

                • Re: High Sierra blocking kernel extensions?
                  gc. Apple Staff Apple Staff (255 points)

                  Please file a bug on this at <https://developer.apple.com/bug-reporting> and post the bug number here.

                   

                  The System Prefs approval UI is not supposed to disappear spontaneously.

                   

                  --gc

                    • Re: High Sierra blocking kernel extensions?
                      GabeJones Level 1 Level 1 (10 points)

                      I haven't experienced the UI disappearing.  That was another poster.

                       

                      My original complaint has been mostly taken care of:  Our automated testing can use the recent changes to spctl, and after playing with things for a while I found that I was mistaken about things being on a per-driver basis.  Once one of our drivers has been whitelisted, all of the ones sharing the same Team ID are also whitelisted.

                       

                      So, really, the only sticking point for us now is the discontinuity introduced by users having to go to the Security Preferences panel.  It is a bit disruptive.  It would be nice if the warning dialog would give the user the opportunity to approve it then and there instead of having to later go to Security Preferences.  Even better would be if the kextload command would pause until the response to the dialog (whether accept or deny) has been provided by the user.

                        • Re: High Sierra blocking kernel extensions?
                          matth Level 1 Level 1 (0 points)

                          To provide a different perspective: I'm happy to see the discontinuity, because it's creating a UI that is prioritizing security.

                           

                          We live in a much different world than we did 10 years ago.  Powerful botnets and well-funded hackers use persistent threats in the form of kernel modules to silently exploit unsuspecting users.  And a rogue kernel module makes it very easy to work around the other protections in OS X. 

                           

                          While these threats are not as common on OS X as other platforms, they could be one day.  A UI that makes installing kernel modules a bit harder is an excellent idea.  99.9% of users are not installing kernel modules, so making take a few extra steps is the right move.  Each of those steps provides the user an opportunity to really think through if this is necessary. 

                           

                          For the remaining 0.1% of users (perhaps such as yours), the application they are installing is sophisticated enough where they should be able to successfully perform those extra steps.  And there won't be a competitive disadvantage, because all products in categories where kernel modules are necessary will have the same UX.

                           

                          I am glad that there is not a warning dialog that allows for immediate approval. I would not want that on my system. 

                  • Re: High Sierra blocking kernel extensions?
                    matth Level 1 Level 1 (0 points)

                    I've already hit an issue where the prompt to Accept in Security preferences vanished on its own.  And there seems to be no way to get it back.

                    • Re: High Sierra blocking kernel extensions?
                      eskimo Apple Staff Apple Staff (11,655 points)

                      ncdeboni wrote:

                      Is this something new applying to all kernel extensions …?

                      Correct.  I can’t go into this in too much detail in this context — we should have some official info on this topic published soon — but it’s safe to say that this was a deliberate security policy change.

                      Share and Enjoy

                      Quinn “The Eskimo!”
                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                      let myEmail = "eskimo" + "1" + "@apple.com"

                        • Re: High Sierra blocking kernel extensions?
                          matth Level 1 Level 1 (0 points)

                          This is a good change.  Any way to help us out in the short run by giving us a way to get the Security preferences to re-prompt for authorizaton?

                            • Re: High Sierra blocking kernel extensions?
                              eskimo Apple Staff Apple Staff (11,655 points)

                              Any way to help us out in the short run by giving us a way to get the Security preferences to re-prompt for authorizaton?

                              I just tried this here in my office:

                              1. I attempted to load my KEXT using kextload.

                              2. It failed with the expected error:

                                $ sudo kextload /Library/Extensions/KauthORama.kext
                                /Library/Extensions/KauthORama.kext failed to load - (libkern/kext) not loadable (reason unspecified); check the system/kernel logs for errors or try kextutil(8).

                                .

                              3. In System Preferences > Security & Privacy > General, I saw a message “System software from developer xxx was blocked from loading.” with an Allow button.

                              4. I ignored my Mac for an hour (I think the threshold here is 30 minutes).

                              5. The message from step 3 disappeared.

                              6. I repeated step 2.

                              7. The message from step 3 re-appeared.

                              I was testing this with macOS 10.13 beta 1 running in a VM.

                              Share and Enjoy

                              Quinn “The Eskimo!”
                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                              let myEmail = "eskimo" + "1" + "@apple.com"

                                • Re: High Sierra blocking kernel extensions?
                                  matth Level 1 Level 1 (0 points)

                                  I've tried this a few times (with more than 30 min delay between attempts) and haven't been able to get the prompt to come back up.  I was hoping there was some explicit way to reset the prompt, but if not, I can just file a Radar

                                    • Re: High Sierra blocking kernel extensions?
                                      eskimo Apple Staff Apple Staff (11,655 points)

                                      I've tried this a few times (with more than 30 min delay between attempts) and haven't been able to get the prompt to come back up.

                                      Weird.  That definitely worked for me (I tried it before I posted).

                                      I was hoping there was some explicit way to reset the prompt

                                      AFAIK there is not.

                                      if not, I can just file a Radar

                                      Absolutely.  Maybe even two (one for a developer-focused mechanism to trigger the prompt, one for the fact that it’s not coming back automatically on your machine).

                                      Share and Enjoy

                                      Quinn “The Eskimo!”
                                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                      let myEmail = "eskimo" + "1" + "@apple.com"

                                • Re: High Sierra blocking kernel extensions?
                                  GabeJones Level 1 Level 1 (10 points)

                                  Great to know that there will be official word about this change coming.  Will you reply to this thread with a link when it is available?

                                   

                                  Will there be a tool similar to the user-mode Gatekeeper's spctl to allow us to programatically manage the whitelist?

                                  • Re: High Sierra blocking kernel extensions?
                                    Johnny Forensic Level 1 Level 1 (0 points)

                                    Hello. I’ve reviewed TN2459 and I’m left with a really big question.

                                     

                                    How can enterprise software packages be deployed and run that use KEXTs if the desktop end user—who has no clue what these deployed packages are—can deny access?

                                     

                                    We make an enterprise level digital forensics and incident response package that runs on macOS, and the endpoint agents are deployed from our server through a push mechanism. There is no interface at all for the end user; this is an enterprise tool that is run through the IT Security staff. In fact, in most cases, they don’t WANT the end users to know our tool exists.

                                     

                                    If we push agents and the end users have the ability to decline them, how can enterprise software rules be enforced? Am I missing something in the technical documentation that covers enterprise software deployments?

                                     

                                    Thank you,

                                     

                                    John

                                  • Re: High Sierra blocking kernel extensions?
                                    gc. Apple Staff Apple Staff (255 points)

                                    There is a new technote out that covers this new macOS High Sierra feature:

                                     

                                    Technical Note TN2459

                                    Secure Kernel Extension Loading

                                    https://developer.apple.com/library/content/technotes/TN2459/_index.html#//apple_ref/doc/uid/DTS40017658

                                     

                                    --gc

                                      • Re: High Sierra blocking kernel extensions?
                                        tartempion Level 1 Level 1 (10 points)

                                        • Could it be possible to explain how this is supposed to bring additional security considering that:

                                         

                                          - kernel extensions installed prior to upgrading to High Sierrra won't be filtered.

                                          - by not loading the kernel extensions, this feature can decrease the security/safety level expected by users who purchased a solution whose purpose is to provide additional security/safety levels.

                                         

                                        Basically, it's already required to:

                                         

                                          - codesign the kernel extension with Developer ID Certificates specific for kernel extensions and which are apparently quite hard to obtain these days.

                                          - productsign the installation packages when using Apple standard installation packages

                                          - request administrative privileges from the user installing (or dynamically loading) the kernel extensions.

                                         

                                        • Wouldn't it be just easier to require to use an Apple standard installation package to install any kernel extension so that some Apple code:

                                          - can check the contents of the payload for any kernel extension and the related certificate.

                                          - allows only a specific Apple process (shove?) to install a kernel extension (to avoid the issue with components being installed during the pre or post installation scripts or via a privilege helper tool for instance for Drag and Drop install).

                                          - notifies the user before the installation begins (if there is still any sense to do so considering the previous checks) and requests what to do prior to installing the files. See the last bullet for an additional useful feature.


                                          This way, you don't:


                                          - break the installation workflow in 3 steps: install, discover it does not work as expected, fix the issue.

                                          - have the user figuring out which solution installed the kernel extension (the Subject Common Name may not be always easy to link with the name of the product (even more if the product is distributed as a white-label).

                                          - need for the user to guess that it needs to go to the Security & Privacy pane to make the solution run as expected

                                          - require additional work from 3rd party developer to deal with their kernel extension not being loaded by High Sierra for a new unexpected reason.

                                          - make the end user the Directly Responsible Individual that should ensure that the kernel extension is safe to be used.


                                        • It would also be welcome that the Technical Note lists what can be done to be informed that the kernel extension has been finally loaded after an admin user trusted the developer ID. Intuitively, I would go with kernel events but maybe there are more appropriate ways to deal with this new asynchronism.


                                        • And finally, there's something missing when you compare this feature with the privacy feature to access AddressBook contents for instance:


                                          There are apparently no ways at this point for the 3rd party developer to explain why the product needs to use a kernel extension or what the kernel extension will do.


                                          Basically, this new mechanism currently makes all kernel extensions look evil.



                                          • Re: High Sierra blocking kernel extensions?
                                            Lima Level 1 Level 1 (0 points)

                                            tartempion thank you for this detailed question.
                                            I hope Apple will give a detailed answer,

                                            our app faces a similar situation.

                                             

                                            In term of UX it's very hard to create a coherent user scenario with a red error button in the middle.


                                            Thank you for your help.

                                            • Re: High Sierra blocking kernel extensions?
                                              tartempion Level 1 Level 1 (10 points)

                                              Addendum:

                                               

                                              According to the Technote, Kernel Extensions should be put in either /Library/Application Support (manually loading) or /Library/Extensions (automatic loading) to automatize the "approval" of other kext from the same vendors once one kext has been "approved".

                                               

                                              I have one problem and question about using /Library/Application Support. This directory has not always been root:wheel (e.g. (Mac) OS X 10.7).

                                               

                                              So is there any guarantee that it will be root:wheel on (Mac) OS X 10.8 and later on all deployed OS X systems whatever the migration/update path was?

                                            • Re: High Sierra blocking kernel extensions?
                                              BoBKelso Level 1 Level 1 (0 points)

                                              Hi,

                                              shouldn't those changes be announced by mail to every agent that has access to a certificate which can be used to sign Kernel Extensions?

                                              As far as I can see we did not receive an E-Mail regarding those changes. We were lucky to stumble across this forum topic early.

                                               

                                              Best Regards

                                              Timo

                                              • Re: High Sierra blocking kernel extensions?
                                                tartempion Level 1 Level 1 (10 points)

                                                Is the Technical Note going to be revised soon?

                                                 

                                                Because what the technote states is completely different from what seed 3 is implying with the quite incompleted "Allow…" dialog sheet in System Preferences > Security & Privacy > General pane?

                                                 

                                                Also this would allow to confirm that the expected return code is 27 when the loading of the kext is blocked due to "system policy".

                                                 

                                                Problem ID 33236899

                                                  • Re: High Sierra blocking kernel extensions?
                                                    eskimo Apple Staff Apple Staff (11,655 points)

                                                    Is the Technical Note going to be revised soon?

                                                    TN2459 was updated for b3 on 12 Jul.

                                                    Share and Enjoy

                                                    Quinn “The Eskimo!”
                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                      • Re: High Sierra blocking kernel extensions?
                                                        tartempion Level 1 Level 1 (10 points)

                                                        Thanks.

                                                         

                                                        Unfortunately, b3 does not match TN2459 when it comes to the Security & Privacy Pane behavior (Bug report already filed).

                                                         

                                                        It does not explain how a daemon (or root process) can be informed that a kext is now running without doing some polling.

                                                         

                                                        Sample code for I/O Kit and non I/O Kit scenarios could prove useful (and also proves that the feature works as expected).

                                                    • Re: High Sierra blocking kernel extensions?
                                                      decius Level 1 Level 1 (0 points)

                                                      GC,

                                                       

                                                          I want to second the negative feedback that has been provided by others in this forum regarding this change. Although I get the intent of what you are attempting to accomplish from a security perspecitve, where this change fails is its UI design. In my opinion there are much better ways to design this user interface to handle the general case of legitimate applications that rely on kernel extensions, without compromising the security objective here.

                                                          The problem before High Sierra is that any application could attempt to activate a kernel extension at any time. In that case, this UI makes a certain amount of sense, as user interaction can be demanded whenever that happens to occur.

                                                          However, most applications that have kernel extensions do not load them randomly or unpredicably. What Apple has failed to do here is provide developers with a structured process that is easy for users to follow that legitimate applications and installers can use to guide users through approving kernel extenions at installation/setup time. As things stand, the only option is to pop up a window which attempts to explain the process to the user, tell them they are about to see an error message, attempt to load the extension so the error appears, and then attempt to show the user how to dig through the System Preferences to approve it. This is extremely cumbersome and will ultimately fail in practice.

                                                         In my opinion, for what its worth, applications should be able to direct the operating system to ask the user for approval directly in a pop-up dialog at install time, instead of requiring the user to find the approval switch within the System Preferences. Applications should also be able to obtain approval to load kernel extensions in the future before actually loading them, as loading them at install time may not be appropriate.

                                                         Regardless of whether or not your designers agree with those observations, the present UI appears to be designed to deter the loading of kernel extensions in general and the user experience in the context where kernel extensions must be loaded does not appear to have been given careful consderation. You must go back to the drawing board on this.

                                                       

                                                      Thanks,

                                                      TC

                                                      • Re: High Sierra blocking kernel extensions?
                                                        Johnny Forensic Level 1 Level 1 (0 points)

                                                        So, if I read the updated technote correctly, the solution for enterprise deployments is to manually boot each computer into recovery mode to issue commands to allow kernel extensions on a per-machine basis?

                                                         

                                                        One of our customers has over 10,000 Macs in deployment. How is their IT team supposed to walk around and do this individually on 10,000 Macs? Similarly, if they don’t do this, then when IT pushes our software package out to the endpoints, every user is going to be left with the decision to allow our kernel extension? For a security package that the end users aren’t even supposed to really know about? That has no GUI whatsoever?

                                                         

                                                        I get completely what you’re trying to do here, and the effort is a noble one, but while it works brilliantly in a single-owner environment, it becomes absolutely unusable in a large enterprise environment under the current technote definitions. Ask yourselves how an enterprise user with 10,000 Macs is supposed to push mission critical security software that the end-users are not supposed to be able to defeat, and please understand that an IT team manually booting 10,000 Macs into recovery mode to change settings isn’t going to work.

                                                      • Re: High Sierra blocking kernel extensions?
                                                        tekezo Level 1 Level 1 (0 points)

                                                        FYI:

                                                         

                                                         

                                                        I want to revert the kext loading system policy state in order to test my application behavior when my kext is blocked.

                                                        I succeed to remove my identifier from the allowed kext list by the following procedure.

                                                         

                                                         

                                                        1. The system policy is saved into /private/var/db/SystemPolicyConfiguration/KextPolicy (sqlite3 file)

                                                          To modify the file, boot macOS in Recovery Mode.

                                                         

                                                         

                                                        2. Open Terminal in Recovery Mode, then open the file by this command.

                                                         

                                                         

                                                            sqlite3 /Volumes/<YOUR VOLUME NAME>/private/var/db/SystemPolicyConfiguration/KextPolicy

                                                         

                                                         

                                                        3. Confirm contents by these queries.

                                                         

                                                         

                                                            sqlite> .tables

                                                            sqlite> SELECT * FROM kext_policy;

                                                            sqlite> SELECT * FROM kext_load_history_v3;

                                                         

                                                         

                                                        4. Delete policies by these queries. (Replace 'G43BCU2T37' with your team_id)

                                                         

                                                         

                                                            sqlite> DELETE FROM kext_policy WHERE team_id = 'G43BCU2T37';

                                                            sqlite> DELETE FROM kext_load_history_v3 WHERE team_id = 'G43BCU2T37';

                                                         

                                                        5. Exit sqlite by control+D. Then restart macOS.

                                                        • Re: High Sierra blocking kernel extensions?
                                                          wwvuillemot Level 1 Level 1 (0 points)

                                                          FWIW, I found that non-Apple products -- minimally my Logitech G502 mouse -- cannot be used to click on the "Approve" button from the Security & Privacy pane.  Instead, use of an Apple trackpad or mouse, was required.

                                                           

                                                          In console, I found: com.apple.preference.security.remoteservice Dropping mouse down event because sender's PID (112) isn't 0 or self (423)

                                                           

                                                          https://discussions.apple.com/message/32992230?ac_cid=op123456