Extensions, Big Sur and M1 Macs

There are two main types of extension in macOS: traditional kernel extensions, which have the extension .kext and run in kernel space, and modern system extensions and their relatives which run in user space. Although developers are moving their old kexts to the new varieties, this isn’t an easy task, so please bear with them as they do.

Normally, when you install third party products which rely on extensions, they should also install any necessary extensions for you. This may not be true of some free software, and in any case the process requires your involvement. This article explains what happens, and what you’ll need to do.

Kernel extensions

What used to happen was that third-party kexts were installed in the folder /Library/Extensions, incorporated into a new prebuilt kernel, and were quickly ready for use without any further fuss. However, given that kexts run in kernel space, they have access to the very heart of the system, so Apple has progressively tightened security measures imposed on them.

Strictest rules come with M1 Macs: they have a new platform security setting which blocks the loading of all third-party kexts, and that’s turned on by default. If you want your M1 Mac to load a new kext, you’ll need to start it up in Recovery Mode, with the Power button held until the display shows Loading Startup Options, then release it. This takes you to the Startup Options screen. Select the Options icon, then click Continue underneath it.

Once the main window has loaded, select the Startup Security Utility in the Utilities menu. You’ll then be prompted to select the system for which you want to configure startup security. Once you’ve unlocked that disk, click on the button to set startup security for that disk. Then select Reduced Security, and check the upper of the two boxes, which allows user management of kernel extensions. Quit Startup Security Utility, and select Restart from the Apple menu to restart into normal mode.

There’s another catch with M1 Macs: all kexts must support the arm64e architecture. Non-universal kexts won’t run on Apple Silicon Macs.

Follow the normal procedure for installing the kernel extension, which is similar to that in Catalina. Open the General tab of the Security & Privacy pane, authenticate, and when the installer has readied the kext for installation, a new item will appear low down in this pane inviting you to allow the kext to be installed. Agree to that, and the installation should complete. Your Mac will then need to restart to load your newly installed kext. One exception to the requirement to restart is for kexts which don’t actually contain their own executable code. They should take effect once you’ve agreed to install them in the Security & Privacy pane.

Updating an existing third-party kext follows the same process, with the same restart at the end to load it.

Should you want to uninstall a third-party kext, then its app should provide an option in its installer, or an uninstaller utility, to perform that. This will use the kmutil command tool to remove the kext from the collection being used to boot the Mac, following which you’ll need to restart to put that into effect.

If you need to do any of this manually – for example, if the kext is part of freely-distributable software – then you should look for explicit instructions before trying to use the command tool required, kmutil. Apple explains the processes for developers, and that tool does have an excellent man page, but it’s still complex to use. One generally useful command is
kmutil inspect
which lists all kexts in your currently active collection.

In Big Sur, third-party kexts are kept in folders inside /Library/StagedExtensions, typically in Applications or Library/Extensions within that, whereas system kexts are in /System/Library/Extensions which is locked away on the System volume. You’ll also still see them listed in /Library/Extensions.

System extensions

System extensions, drivers and their relatives should prove far simpler to work with. They’re controlled by the app itself, which should be able to install, load and remove its own system extension without having to restart your Mac, although you’ll still have to give your approval. To ensure that this works properly, install the app in your main Applications folder, or that inside your Home folder. System extensions may fail to install if the app containing them is installed in a different location. System extensions should be automatically uninstalled when you remove their app.

The app keeps any system extensions in its folder Contents/Library/SystemExtensions, and in /Library/SystemExtensions, with /Library/DriverExtensions fulfilling that role for drivers. The command tool which is used to manage system extensions is systemextensionsctl, but its man page is devoid of information, so you’ll have to view its usage information using
systemextensionsctl -h
for example. You can use
systemextensionsctl list
to list all known system extensions and their status.

Further details on system extensions are given in Apple’s developer documentation.