Mojave 10.14.5 changes kernel extension security

Tucked away in the macOS Mojave 10.14.5 update is a significant change in the way that it handles third-party kernel extensions. The only outward sign is a change in the version number of its KEXT block extension, AppleKextExcludeLList.kext in /System/Library/Extensions, bringing it to version 14.5.1.

Apple had previously warned third-party developers of kernel extensions that, in addition to their special signing certificates, all updated and new kernel extensions would need to be notarized by Apple. What has happened inside AppleKextExcludeLList.kext shows how great this change is proving to be.

Until 10.14.5, AppleKextExcludeLList.kext contained one Property List, KnownPanics.plist, which detailed kernel extensions known to Apple to be the cause of kernel panics, thus excluded from loading in Mojave; that hasn’t changed in 10.14.5. That kext now contains a second property list, ExceptionLists.plist, which is a long dictionary of “secure timestamp exceptions”.

Each entry consists of a string of hex digits, which is presumably an identifier or hash, together with the kext ID (such as com.thiscompany.mykext) and its version number. These appear to be an exhaustive list of over 18,000 existing kernel extensions which have been granted exceptions to the notarization requirement. They run from NVIDIA’s ResmanWeb to Jonathan Zdziarski’s LittleFlocker.

It will be interesting to see how this new system works out. I’m amazed to at just how many kernel extensions are listed there.