Problems giving kernel extensions permission to load in 10.13

[Brian Kendall]

My company occasionally gets reports from users that they can install our driver but they can't get it to load in macOS 10.13.

What will typically happen from a user-facing perspective is they will run our installer, see the "System Extension Blocked" dialog that points them to the Security & Privacy system preferences, open Security & Privacy, click the "Allow" button at the button of the window that's supposed to allow our kext to load, and then nothing will happen. Specifically, the "Allow" button presses, but then does not go away and the kernel extension never loads.

Behind the scenes, what's going on is we're calling kextload to load our kernel extension and it always fails with status code 27, meaning that our kext doesn't yet have permission from the user to load. Calling kextload again doesn't in anyway change the problem. As near as we can tell, once a user's system gets into this state, it becomes impossible for our (or possibly anyone else's) kexts to load.

The only methods we've found to workaround this issue is to either:
a) boot into the recovery environment and disable kext user consent by executing `spctl kext-consent disable` in Terminal, or
b) reinstall macOS

Have any of you encountered this problem before? If so, is there any methods of dealing with it?

We suspect it's a bug in macOS but haven't been able to confirm it. Unfortunately, the only systems we've encountered that experience this issue are user's systems. We haven't managed to replicate it on our own systems, much less find any consistent way to trigger it.

- Brian

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-drivers mailing list (Darwin-...@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/darwin-drivers/darwin-drivers-garchive-96018%40googlegroups.com

This email sent to darwin-drivers...@googlegroups.com

[devlist]

I’ve seen the same thing. Eventually after a couple of reboots and clicking Allow then the popup appears with the names of the blocked extension.
After this the extension loads.

Martin

> https://lists.apple.com/mailman/options/darwin-drivers/devlist%40mac.com
>
> This email sent to dev...@mac.com

[no...@dynax.at]

We can also confirm the issue here (though we only have received reports and weren't able to reproduce it in-house), but I suspect it not being fixed because its perfectly inline with the general strategy of kicking third parties out of the kernel.

Viele Grüße/Cheers,
Hagen.

> https://lists.apple.com/mailman/options/darwin-drivers/noise%40dynax.at
>
> This email sent to no...@dynax.at

[Brian Kendall]

Well I'm glad to know it's not just me, then! Thanks for the input.

Have any of you submitted a bug report to Apple?

- Brian

[Tim Sheridan]

Hi all,

I've used the following workaround for the "Allow" button click getting ignored:

1. Open "System Preferences", "Keyboard", "Shortcuts" tab
2. Set "Full Keyboard Access" to "All controls"
3. Open "System Preferences", "Security & Privacy", "General" tab
4. Press tab key until the "Allow" button is highlighted
5. Press space bar

Tim

> On 16 Mar 2018, at 20:46, Brian Kendall <guyg...@gmail.com> wrote:
>

> https://lists.apple.com/mailman/options/darwin-drivers/tghs%40apple.com
>
> This email sent to tg...@apple.com

[Mike Crawford]

My kexts don't load at all if installed on a virgin High Sierra box.  But if that box has been in use - even just a little bit - they will load

https://lists.apple.com/mailman/options/darwin-drivers/mdcrawford%40gmail.com

This email sent to mdcra...@gmail.com

--
--
Mike Crawford mdcra...@gmail.com

  The Global Computer Employer Index: http://soggy.jobs/computer
   (It's not very global yet.)

[Brian Kendall]

Tim, thanks for sharing this! It's already helped one of our users.

- Brian