hoakley April 17, 2022 Macs, Technology

Last Week on My Mac: kextermination is coming

Like opiates, kernel extensions have brought wonderful powers, but all too frequent suffering. Any feature which can transform a Mac into an incipient kernel panic isn’t exactly endearing. I suppose in some ways I’ve benefitted from the adverse effects of third-party kernel extensions (kexts) for the last twenty-one years, in all the problem-solving articles I’ve written about them. I’m still looking forward to kextermination, the time when kexts are finally banished from macOS.

No, this doesn’t mean that I’ve got inside information that Apple is going to announce at WWDC that macOS 13 on Apple Silicon won’t allow the loading of third-party kexts, although I’d be delighted if that were to happen. Instead, as more and more Mac users migrate to these new Macs, kexts become ever rarer. I have eight third-party kexts on this iMac Pro, and not one on any of my M1 Macs.

If you’re still waiting for your M1 Mac to be released from China’s strangulating lockdowns, you may not be aware of the surprise that’s in store for you if you want it to load a third-party kext. First, the entry qualifications are stringent: it has to be signed using a special certificate provided by Apple, it has to be notarized, and must contain complete executable code for ARM chips, as it can’t use Rosetta 2 translation to accommodate Intel code.

Installing the kext is also non-trivial. Apple’s advice to developers is lengthy, and should be sufficient deterrent in itself. For M1 Macs, the crucial opening steps can’t be automated, and require the user to:

Start up in Recovery mode and select Options.
Open Startup Security Utility.
Downgrade boot security to Reduced Security.
Enable the loading of third-party kexts.
Restart in normal mode, and proceed to install the app with its kext installation steps, involving authorising the new kext in the Security & Privacy pane.
Once the kext has been fully installed, and built into the Auxiliary Kernel Collection, to restart.

Although Apple advises developers to provide “a clear explanation of what your kext does, and why its installation is necessary” to alleviate some of the user’s concerns, particularly in reducing security, that might be a lost cause for many. One of the most significant penalties of running your M1 Mac at that level of security is that Activation Lock is disabled, making it possible for someone else to erase, restore and activate it for themselves. Apple Pay capabilities could also be disabled if macOS considered that a third-party kext could interfere with the trustworthiness of macOS. Some users report that copies of macOS which have been downgraded to allow kext use don’t update reliably, and can exhibit other problems.

Reducing the security of an M1 Mac isn’t disaster, but it’s clearly not something to enter into lightly.

Installing kexts in the past was so easy that we forget why most of them are there any more. Of the eight on my iMac Pro, the oldest dates from 2013, and I’m not aware that any of them is actually needed any more. But they’ve quietly migrated from Mac to Mac over the last few years as kexts usually do. Thankfully, none of them seems to have affected the stability of this Mac, but that might be because none of them are loaded anyway.

If you’re reliant on a third-party kext and have an M1 Mac, you have my sympathy. There’s no easy solution when there isn’t a modern replacement such as a system extension, and that’s hard when you still need to support older hardware. I don’t have a good answer yet for what I’m going to do with my old Promise Pegasus RAID system, for which I still have several sets of hard disks containing old backups. As the kexts to support that hardware are now unsupported and Intel-only, I’m probably going to have to retain an old Intel Mac in case I ever want access to them.

However, macOS can’t go on indefinitely supporting old kexts, even those that are now available with ARM-native code. The constraints on the kernel to do this, and the continuing toll of kernel panics and other problems, simply can’t justify it. As with other changes like the demise of optical disk drives, we’ll undergo a short period of pain, following which we’ll all be the better.

There are still some kexts whose importance merits special attention. Among them is SAT SMART, which gives access to S.M.A.R.T. health data on external disks connected via USB. If Apple isn’t prepared to do the decent thing and incorporate this facility into macOS, then the community needs to organise a modern replacement extension.

Then bring on kextermination. It’s long overdue and can only do our Macs a power of good.

Postscript

Several have questioned where Apple states that Activation Lock is disabled when an M1 Mac is running at Reduced Security. The answer is here, where Apple states the requirements for Activation Lock on an M1 Mac are two-factor authentication for Apple ID, and that “the security policy must be set to Full Security, the default setting”. Additional requirements implicit in what is stated earlier in that article are that Find My Mac must be turned on for that Mac (“Activation Lock remains enabled as long as you keep Find My turned on”) and that the Mac remains signed in to iCloud (“Find My also turns off when you sign out of iCloud”).

Of course Apple might have changed this without updating that article, but at present that is the most definitive information that is available. Formally testing Activation Lock to demonstrate whether this still works when any of those conditions isn’t met is non-trivial.

If you’re unsure of the differences between kernel extensions and modern replacements such as system extensions, then you should find this article informative. The key sentence there is: “Most importantly for M1 Mac users, they don’t need macOS to be run at reduced security, nor approval in the Security & Privacy pane.”

If you still think that running your M1 Mac at Reduced Security with third-party kernel extensions loading is fine, then you should consider carefully Apple’s statement in its Platform Security Guide: “Important: Kexts are no longer recommended for macOS. Kexts risk the integrity and reliability of the operating system and Apple recommends users select solutions that don’t require extending the kernel.” [The emphasis is in the original.]

25Comments

Add yours

1

Simon on April 17, 2022 at 3:57 pm

My M1 Pro 14″ MBP has, apart from all its Apple-supplied arm64e kexts, two kexts from “Identified Developer” that are both x86_64 only. However, they’re in /System/Library/Extensions and cannot be removed/deleted. Last modified date coincides with 12.3 update installation. Neither of these two kexts is notarized and of course they aren’t loaded either. Still, what are they doing on this system?

LikeLiked by 2 people
- 2
  
  hoakley on April 17, 2022 at 7:23 pm
  
  Thank you. I suspect they’re part of the standard macOS install, which differs very little indeed (Rosetta being an important exception, which is installed separately anyway) between Intel and M1 architectures.
  As they’re not ARM-native, they can’t be loaded on an M1. They can’t be deleted because they’re in the signed and sealed snapshot, which can’t be changed. They’re not notarized, because Apple doesn’t require itself to notarize any of its software, although they are signed.
  I expect that they will vanish in time.
  Howard.
  
  LikeLiked by 1 person
3

Sab Gigo on April 17, 2022 at 4:55 pm

Howard, thank’s for your article. It provoked me to investigate my kext status using BPUTIL and System Information, and here is what I found out:

I am using DriveDx 1.11.0 and SATSMART 0.10.3 kext driver with Monterey 12.3.1, and this appears to be quite stable — although I have have had a single reboot ?maybe due to a kernel panic? I confirmed that the kext is loaded. My Activation Lock Status shows “Enabled” in System Information, so that seems different from what your article states.

I also have an OWC USB-C Travel Dock, which provides a kext to support USC-C high-powered charging ports. I have verified that the high-powered ports on the dock are enabled, but interestingly, the kext is listed as not “loaded”.

There are 7 other kexts listed from “Identified Developers,” that likewise are not loaded: 4 are notarized (HighPointIOP, HighPointRR, hp_fax_io, hp_io_printerclassdriver_enabler), 3 are not (ArcMSR, hp_io_enabler_compound, PromiseSTEX).

Sometimes, I do switch back to “Full Security” mode, but to again enable DriveDX for USB external drives, I have to reinstall the SATSMART package and allow it in the “Security & Privacy” pane of System Preferences. This is cumbersome – maybe there is a quicker way using the commands in Terminal.
In any event, I look forward to “kextermination” but I, too, keep my fingers crossed that someday, Apple will support SMART with USB external devices – I really can’t see a reason why not – the information provided is just too useful to not have available.

LikeLiked by 1 person
- 4
  
  hoakley on April 17, 2022 at 7:34 pm
  
  (I apologise, but your comment got trapped among the spam.)
  Thank you.
  Apple states quite clearly that Activation Lock only works when an M1 Mac is in Full Security mode. There isn’t any easy way to test that, I fear, but I suspect the status doesn’t reflect what would actually happen if it were to be needed when your Mac is in Reduced Security. I think the HighPoint kexts are part of the standard macOS install, and only used on Intel Macs anyway.
  As you will read in a couple of days, I have been trying to address this issue with SAT SMART, but I’m not prepared to downgrade the security of my production system, so I have hit a brick wall here. We need that kext as a modern extension for M1 Macs, and I’m not sure why that hasn’t been done yet.
  Howard.
  
  LikeLiked by 1 person
  - 5
    
    ninjaturtle45 on April 17, 2022 at 11:21 pm
    
    “Apple states quite clearly that Activation Lock only works when an M1 Mac is in Full Security mode.”
    
    Can you please post the link to any Apple articles that confirm this? An Apple Pay article (https://support.apple.com/en-ca/HT209016) mentions that Full Security is required for T2-equipped Macs, but it doesn’t mention Apple silicon Macs.
    
    Also, on Apple silicon Macs, recoveryOS (where Activation Lock is enforced) is always locked in to Full Security due to RemotePolicy constraints, regardless of what security level macOS is set to.
    
    LikeLiked by 2 people
    - 6
      
      ninjaturtle45 on April 17, 2022 at 11:28 pm
      
      EDIT: Found the article: https://support.apple.com/en-ca/HT208987
      
      I’m still in doubt whether that requirement is actually enforced. I’ll have to do some testing on my M1 Mac when I have some time.
      
      The only real threat vector I can imagine at the moment is if someone decided to downgrade to Permissive Security, and modify the system volume to remove all services related to Find My Mac (so that Activation Lock can never be triggered remotely). That downgrade process still requires someone to be physically present AND know an admin password.
      
      LikeLiked by 2 people
    - 7
      
      hoakley on April 18, 2022 at 6:34 am
      
      Well, you can believe what you want. Apple’s article is completely explicit, and proving that it’s incorrect is non-trivial.
      Howard.
      
      LikeLiked by 1 person
    - 8
      
      hoakley on April 18, 2022 at 6:32 am
      
      I have added a Postscript which provides the link and further information.
      I’m not sure what recoveryOS has to do with any of this – I try to spend as little time in Recovery as possible!
      Howard.
      
      LikeLiked by 1 person
  - 9
    
    Sab Gigo on April 18, 2022 at 2:42 am
    
    My further research into Activation Lock in “Reduced Security” is interesting…
    
    1) Activation Lock Status shows Enabled. Find My is ON. Location is active. Sound can be played on M1 Mac mini.
    2) Turned off Find My. Activation Lock Status is Disabled.
    3) Shut down and Reboot goes to Activation screen in RecoveryOS. Need to enter User Login Password — not Apple ID Password (only the User that turned off Find My is presented.
    4) After password is entered and accepted, Mac reboots into RecoveryOS once more and presents all users for password entry (presumably to unlock disk for File Vault 2. macOS then restarts normally.
    5) Following Login, I immediately redisplayed System Information. The last entry on the Hardware Overview was “Provisioning UDID”. I exited Sytem Information and relaunched several times. In a short while, the Activation Lock Status entry reappeared and showed Enabled.
    6) Went to the FindMy setting, and discovered it was ON, without my turning it on.
    
    All the above occurred without switching back to Full Security. I would venture to guess that once Activation Lock has been engaged for a particular AppleID, that seems to persist even in Reduced Security mode. I am wondering if Apple’s specification that “On a Mac with Apple silicon, the security policy must be set to Full Security, the default setting” actually means that it cannot be setup for the first time unless in Full Security mode. Also, Apple’s document HT208987, dated July 16, 2021, might not be up-to-date for the current version of macOS (Monterey).
    
    Of course, this is my experience, and your mileage may vary (LOL).
    
    LikeLiked by 1 person
    - 10
      
      Sab Gigo on April 18, 2022 at 3:03 am
      
      Just one more thing…
      I switched to Permissive Security and rebooted, and at this point, Activation Lock is still showing “Enabled”. This would lead me to believe that your iCloud Account and its settings are not affected by the Mac Startup Security Settings. In particular, it appears that once Activation Lock has been set up while in Full Security, it does not change when you alter the Startup Security setting, which I think makes sense. You must turn off Activation Lock in the iCloud settings pane, and that requires entering the password for your Apple ID.
      
      LikeLiked by 1 person
    - 11
      
      hoakley on April 18, 2022 at 6:36 am
      
      You are welcome to believe what you want. However, that isn’t what that article states at all. Its meaning is unambiguous, although it could of course be incorrect.
      Howard.
      
      LikeLiked by 1 person
12

markbot2zero on April 17, 2022 at 8:01 pm

Dear Howard,

“kextermination” got you a chuckle across the pond.

re: “We need that kext as a modern extension for M1 Macs, and I’m not sure why that hasn’t been done yet.”

Resurrections take time?

-Mark

LikeLiked by 2 people
- 13
  
  hoakley on April 17, 2022 at 10:26 pm
  
  Thank you.
  I thought that all the best resurrections took just three days?
  Howard.
  
  LikeLiked by 2 people
14

John Gilbert on April 18, 2022 at 1:55 am

I don’t look forward to kextermination, if only because of SAT SMART Driver. The kext is almost dead and extermination will finish it. As you know, the developer has not made changes for 5 years. It is on life support from by Binary Fruit who provide properly signed kexts and have recompiled for Apple Silicon, but have not (I think) updated the code. There is no sign of Binary Fruit, smartmontools, or anyone else, taking on the transition from a kext to a System Extension – even if that is possible without additions (by Apple) to the kernel.

LikeLiked by 2 people
- 15
  
  hoakley on April 18, 2022 at 6:35 am
  
  Thank you. I agree, and tomorrow you’ll read of my attempts to address this and install the kext.
  Howard.
  
  LikeLiked by 1 person
16

artiste212 on April 18, 2022 at 3:14 am

Howard, I loved reading this article. I suppose kexts are not long for this world, but what about software known as system extensions? For example, some very popular Rogue Amoeba audio applications install software that requires reducing security to connect to system audio. Is this also likely to be “exterminated?” And how serious is the reduction in security for these extensions?

LikeLiked by 2 people
- 17
  
  hoakley on April 18, 2022 at 6:39 am
  
  Thank you.
  I have added a postscript about system extensions, with a link to my earlier article considering them. No, system extensions and their relatives are the modern replacement for kernel extensions, and are deemed safe to use. They don’t require any reduction in security either.
  Howard.
  
  LikeLiked by 1 person
  - 18
    
    artiste212 on April 18, 2022 at 10:00 pm
    
    I just today learned that the software for controlling my Blue Yeti also installs a similar extension requiring reducted security. For now, users have a choice of functionality or reduced security. It will probably take Apple’s administering the coupe de grace to kernel extensions for much third party software to be rewritten according to the new guidelines.
    
    Thanks for making this clear. Now, I’ve got to decide how much I need the offending software. That’s not yet clear.
    
    LikeLiked by 1 person
    - 19
      
      hoakley on April 18, 2022 at 10:22 pm
      
      I’m sorry about that. I think the two issues here are that there’s a limited number of developers around the world who can write good kernel extensions, and now system extensions. And Apple didn’t make documentation/examples or approval for these new types of extension available until relatively recently.
      However, developers have had years to take note of Apple’s warnings that kexts are one day going to vanish altogether.
      Howard.
      
      LikeLike
20

Alan Ralph on April 18, 2022 at 4:06 pm

I use several of Rogue Amoeba’s apps, in particular Audio Hijack, Loopback and SoundSource, and while their shared Audio Capture Engine (ACE) is a System Extension, it requires sufficiently elevated permissions that it requires the steps you outlined above to step down to Reduced Security, at least for the initial install, according to their support page at https://rogueamoeba.com/support/knowledgebase/?showArticle=ACE-StepByStep

While I’m not planning to move to an Apple Silicon Mac any time soon, it is something that concerns me. I guess I’ll have to wait and see if a better way can be found that doesn’t require Reduced Security. Worst case scenario, I’ll need to keep the current Mac in good shape for a lot longer.

LikeLiked by 1 person
- 21
  
  hoakley on April 18, 2022 at 4:22 pm
  
  Thank you. According to that, ACE is treated as a kext as far as Secure Boot is concerned, which surely gives it the worst of both worlds – you have to reduce security, but it’s “only an audio extension”. Hopefully Rogue Amoeba and Apple will reach a better accommodation in the future.
  Howard.
  
  LikeLike
22

Kai Howells on April 18, 2022 at 9:24 pm

I can confirm that both the Promise Pegasus and the Promise Pegasus 2 both work on an M1 Mac with the latest Promise Pegasus2 series driver.
While the Driver does not state anything about compatibility with the Promise Pegasus RAID enclosure, it does indeed work with the Pegasus2 driver.
Yes, you have to drop the Mac into reduced security mode. One thing I haven’t tried (as I don’t think it will work) is dropping the Mac into reduced security mode, installing and loading the driver, and then bumping the security back up to full security once the driver has been confirmed working.

LikeLiked by 1 person
- 23
  
  hoakley on April 18, 2022 at 10:27 pm
  
  Thank you. That’s comforting, but unless Promise converts this into a modern system extension or driver, it’s likely to be unusable.
  There’s a popular myth that on M1 Macs you can drop into reduced security, install a third-party kext, then bump security back up to Full Security and carry on. That isn’t what Apple says: if your Mac has to load third-party kexts, then it can only do so in reduced security mode. In Full Security, the AuxKC isn’t loaded at all, so your third-party kext won’t be loaded. End of story.
  Howard.
  
  LikeLike
24

MrB on July 14, 2022 at 10:37 pm

As an engineer at a PCIe hardware manufacturer, I can attest that Apple has been making us feel more and more unwelcome in the kernel since at least Catalina. We started working on a new DEXT to replace our KEXT, but we’ve been severely hampered by useless documentation & sample code, and Apple’s DTS engineers thus far haven’t been able to help us get past provisioning roadblocks.

LikeLiked by 1 person
- 25
  
  hoakley on July 15, 2022 at 10:18 am
  
  I’m sorry to hear that. Yes, Apple has been slow and unhelpful across the board with replacements to kernel extensions. That ball remains firmly in Apple’s court still.
  Howard.
  
  LikeLike