Can Kernel Extensions Be Loaded From Single-User Shell?
47 views
Skip to first unread message
Michael Crawford
Apr 11, 2018, 6:25:45 PM4/11/18
to darwin-...@lists.apple.com
I am investigating my kexts' failure to load.
Sometimes I think this is my fault, sometimes I think there's
something wrong with High Sierra's security, specifically High
Sierra's User-Approved Kernel Extension Loading:
rdar://39219050
https://developer.apple.com/library/content/technotes/tn2459/_index.html
Apple marked my report as a duplicate but left it open. That suggests
that someone at Apple thinks might really be their bug.
Command-S at boot
# mount -uw /
# kextload /Library/Extensions/MyDriver.kext. # I will try again
with kextutil
.... lots of messages...
/System/Library/Extensions/AppleKextExcludeList.kext has invalid
signature; trust cache is disabled. Untrusted kexts are not allowed
But if I reboot then log in, AppleKextExcludeList.kext has a valid signature:
$ codesign -v -v /System/Library/Extensions/AppleKextExcludeList.kext/
/System/Library/Extensions/AppleKextExcludeList.kext/: valid on disk
/System/Library/Extensions/AppleKextExcludeList.kext/: satisfies
its Designated Requirement
Puzzled,
Mike
--
Mike Crawford
Portland Custom Software Development
mi...@soggywizards.com
http://soggywizards.com
One Must Not Trifle With Wizards For It Makes Us Soggy And Hard To Light
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-drivers mailing list (Darwin-...@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/darwin-drivers/darwin-drivers-garchive-96018%40googlegroups.com
This email sent to darwin-drivers...@googlegroups.com
Sometimes I think this is my fault, sometimes I think there's
something wrong with High Sierra's security, specifically High
Sierra's User-Approved Kernel Extension Loading:
rdar://39219050
https://developer.apple.com/library/content/technotes/tn2459/_index.html
Apple marked my report as a duplicate but left it open. That suggests
that someone at Apple thinks might really be their bug.
Command-S at boot
# mount -uw /
# kextload /Library/Extensions/MyDriver.kext. # I will try again
with kextutil
.... lots of messages...
/System/Library/Extensions/AppleKextExcludeList.kext has invalid
signature; trust cache is disabled. Untrusted kexts are not allowed
But if I reboot then log in, AppleKextExcludeList.kext has a valid signature:
$ codesign -v -v /System/Library/Extensions/AppleKextExcludeList.kext/
/System/Library/Extensions/AppleKextExcludeList.kext/: valid on disk
/System/Library/Extensions/AppleKextExcludeList.kext/: satisfies
its Designated Requirement
Puzzled,
Mike
--
Mike Crawford
Portland Custom Software Development
mi...@soggywizards.com
http://soggywizards.com
One Must Not Trifle With Wizards For It Makes Us Soggy And Hard To Light
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-drivers mailing list (Darwin-...@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/darwin-drivers/darwin-drivers-garchive-96018%40googlegroups.com
This email sent to darwin-drivers...@googlegroups.com
Michael Crawford
Apr 11, 2018, 8:59:21 PM4/11/18
to darwin-...@lists.apple.com
Apparently not because kextd isn't running when single-user boot gets
to a shell.
Attempting to load it:
# launchctl load /System/Library/LaunchDaemons/com.apple.kextd.plist
... doesn't work because "No task-access server configured".
to a shell.
Attempting to load it:
# launchctl load /System/Library/LaunchDaemons/com.apple.kextd.plist
... doesn't work because "No task-access server configured".
Jerome Krinock
May 4, 2018, 8:26:06 PM5/4/18
to Michael Crawford, darwin-...@lists.apple.com
I wonder if you are aware that, for the past few years, you need a special “stamp” on your Apple Developer account in order to successfully sign kexts.
https://developer.apple.com/contact/kext
Michael Crawford
May 4, 2018, 8:44:47 PM5/4/18
to Jerome Krinock, darwin-...@lists.apple.com
Yes, I have a kernel extension signing certificate.
Apple isn't always willing to issue one. In my case I'm writing a USB
function driver for a client that is a fabless semiconductor firm
whose chips only support Windows and Linux. When I - Real Soon Now -
complete our contract then my client will also support macOS with one
of their chips.
Working at a fabless hardware company is quite cool. Lots of
expensive toys for me to play with.
Mike
Apple isn't always willing to issue one. In my case I'm writing a USB
function driver for a client that is a fabless semiconductor firm
whose chips only support Windows and Linux. When I - Real Soon Now -
complete our contract then my client will also support macOS with one
of their chips.
Working at a fabless hardware company is quite cool. Lots of
expensive toys for me to play with.
Mike
Reply all
Reply to author
Forward
0 new messages