hoakley July 2, 2023 Macs, Technology

Last Week on My Mac: Secure Boot conflicts

Central to the secure design of Apple silicon is Secure Boot, the intricate mechanism that ensures everything in the boot process from firmware through to macOS and its extensions is verifiably secure. Full Security is the default and standard level set by Apple, although you can choose to run at Reduced Security in order to load user-approved kernel extensions. As Apple has officially deprecated those kernel extensions in favour of system extensions, which are intended to function fully in Full Security, very few Apple silicon Macs should now need to run at anything other than Full Security. That’s the theory, but does it work in practice?

While most software that has previously relied on kernel extensions has been able to replace them with system extensions and their kindred that work in Full Security, there are some important exceptions. Here I’ll consider two: SoftRAID and Rogue Amoeba’s Audio Capture Engine, ACE.

SoftRAID is a popular and superior alternative to the software RAID implementation offered through Disk Utility. Despite what I must presume were prolonged efforts to turn it into some form of system extension that could be loaded without changing security level, Apple has finally included its kernel extension in Ventura 13.3. Now that it’s part of the standard macOS system software, it’s included in the Boot Kernel Collection and no longer requires the user to adopt Reduced Security and enable its loading. While that’s good news, it’s also an admission that SoftRAID couldn’t be implemented without using a kernel extension after all. It hasn’t been explained why it has taken over two years to solve this.

Rogue Amoeba’s audio tools are justly popular, and its developers have been able to deliver the features of its Audio Capture Engine using a system extension instead of the previous kernel extension. However, for the moment at least, in order to install and use that system extension, Apple silicon Macs require the adoption of Reduced Security, just as if it was still a kernel extension. No explanation has been given as to why that should be so, and Rogue Amoeba is adamant that ACE doesn’t interact directly with the kernel in any way.

These are two admittedly challenging problems in the transition from kernel extensions: in one, it appears that the code must continue to run as a kernel extension, so it has to be made part of macOS; in the other, despite becoming a system extension it still requires a change in security level to be able to use it, which shouldn’t have been necessary.

SoftRAID demonstrates that, no matter how Apple might want us all to believe that there’s no need for third-party kernel extensions, there are occasions when there’s no other option. Yet Apple insists that support for kernel extensions is going to be removed. In its Platform Security Guide, for example: “This is why developers are being strongly encouraged to adopt system extensions before kext support is removed from macOS for future Mac computers with Apple silicon.” Again in Developer Support: “As part of our ongoing effort to modernize the platform, improve security and reliability, and enable more user-friendly distribution methods, kernel extensions have been deprecated.”

Rogue Amoeba’s ACE demonstrates that even when you do follow Apple’s instructions for developing a system extension, it can still require Reduced Security. But does that really matter, or is Apple gilding the lily in Full Security? Apple describes Reduced Security as permitting “actions that can put a user’s system security at risk”, pointing out that “kexts have the same privileges as the kernel, and thus any vulnerabilities in third-party kexts can lead to full operating system compromise.” And that’s Apple’s justification for developers to switch to system extensions. Nowhere can I find an explanation from Apple as to why a system extension should require Reduced Security.

The current version of Apple’s Platform Security Guide is dated May 2022, and its annual update is well overdue. I’m looking forward to reading explanations for these contradictions in the current implementation of Secure Boot.

I’m very grateful to Ron for reminding me of these discrepancies, in his comment to my article on deprecation.

29Comments

Add yours

1

hhanche on July 2, 2023 at 8:31 am

I use Rogue Amoeba’s SoundSource myself, and I was definitely surprised by the need to downgrade the security level. At least, I have verified that the ACE components don’t include a kernel extension by running this command:

kmutil showloaded | grep -Fv com.apple.

At least, I am pretty confident that this is the appropriate way to check.

LikeLiked by 1 person
- 2
  
  hoakley on July 2, 2023 at 8:37 am
  
  Thank you.
  Howard.
  
  LikeLike
3

sclsjoy on July 2, 2023 at 9:34 am

ACE do not require reduced security level to run. You just need to add consent manually in Recovery: `spctl kext-consent add 7266XEXAPM`. See https://rogueamoeba.com/support/knowledgebase/?showArticle=ACE-AlternateInstall&product=General.

I do not understand why this is not the default method for ACE installation.

LikeLiked by 1 person
- 4
  
  hoakley on July 2, 2023 at 8:01 pm
  
  Thank you.
  It begs the question as to why something that manifestly isn’t a kernel extension requires kext consent, doesn’t it? Maybe Jeff Johnson has the answer.
  Howard.
  
  LikeLike
  - 5
    
    sclsjoy on July 11, 2023 at 3:55 am
    
    I emailed Rogue Ameoba about this and they are unable to provide more information than “ask Apple”. Below is their reply.
    
    While older Intel Macs and versions of MacOS only required entering an administrator password to install and use ACE, M-series Macs do currently require these additional steps to grant authorization. As the article notes, the “Reduced Security” setting is still extraordinarily secure (Apple wouldn’t provide it if it weren’t). Your Mac still won’t be able to run an unsigned operating system or unsafe software. The adjustment simply makes it possible for you to allow third party extensions, like ACE, on a case-by-case basis. Outside of ACE and deprecated kernel extensions, third-party device drivers for devices like scanners and printers may also require similar steps to complete setup.
    
    Ultimately, Apple can best explain their reasoning for these new restrictions on their M-series chips. If you’re wanting to use the functionality that ACE provides without modifying these settings, you’ll want to pass that feedback on to Apple directly, as it will be up to them to revise these restrictions in future versions of MacOS.
    
    Similarly, we’ll also have to watch for other ways we might be able to simplify the setup process further in the future.
    
    I hope this clears things up. Please let me know of any other questions or feedback.
    
    LikeLiked by 2 people
    - 6
      
      hoakley on July 11, 2023 at 6:13 am
      
      Thank you.
      I don’t think that they can say any more.
      Howard.
      
      LikeLike
- 7
  
  dvessel on July 6, 2023 at 2:49 pm
  
  Thanks for posting this. I can only imagine that they were afraid of user error while typing out the identifier *or it was a late discovery*. I much prefer this than the lowered security level. When I initially installed ACE a few years ago, it screwed with my credit cards in my wallet and I had to re-enter them.
  
  LikeLiked by 1 person
  - 8
    
    hoakley on July 6, 2023 at 2:51 pm
    
    I think the reason is clear from Jeff Johnson’s elephant.
    Howard
    
    LikeLike
    - 9
      
      dvessel on July 6, 2023 at 7:41 pm
      
      Seems too convenient of an explanation. Capturing internal audio to pirate can be time consuming. Certainly not worthwhile enough to scale and cause a dent. There’s also CaptureKit that can enable audio recordings. OBS is the only software I’m aware of that uses it which I find confusing. It’s been in Ventura from the start but not widely supported. It can’t even be used with QuickTime.
      
      LikeLiked by 1 person
    - 10
      
      hoakley on July 6, 2023 at 8:35 pm
      
      Then can you explain why Apple – who makes the rules – requires something that isn’t a kernel extension or even a modern system extension to obtain consent as a kernel extension? That doesn’t happen by accident, but by intention.
      Howard.
      
      LikeLike
11

Enzo Vincenzo on July 2, 2023 at 10:05 am

First of all I state that I’m talking about an Intel iMac (moreover optimized with OCLP…) and in any case, perhaps, my observations can contribute to the discussion and/or help someone.
From Mac OS X 10.1 and 10.2 up to Ventura I’ve only had two serious problems related to third party kexts. But be careful, because in one case the problem (very serious and that I won’t stop to describe) was caused by an Audio Module (and not by a /Library/Extensions/xXxxkext) which was interacting with the System anyway.
In the other case the kext that also caused Kernel Panic was a Coriolis kext installed on first boot by the iDefrag and iPartition apps which I still use successfully for JHFS+ disks.
Since Coriolis has reversed the updates, I solved the problem myself by opening the kext packages and replacing the bin file with an empty bin file.
If I remember correctly I had to start doing it with Catalina and even now that I use Ventura the two fantastic Coriolis Apps work perfectly and the System too.
Just to say that if want and know how… can tame and make even problematic Kexts harmless… ;-)

LikeLiked by 1 person
- 12
  
  hoakley on July 2, 2023 at 8:04 pm
  
  Thank you.
  Unfortunately, kexts have a long history, like INITs before them, of doing horrible things to Macs. They have been a major cause of kernel panics and of data loss. What’s even worse is that they are a security nightmare: as they run at a privileged level, a malicious kext can take over your Mac and there’s absolutely nothing you can do about it then.
  I for one will be absolutely delighted to see the back of them.
  Howard.
  
  LikeLiked by 1 person
13

alberic on July 2, 2023 at 10:10 am

The problem with the new extensions proposed by Apple is that they need the mediation of the operating system to access the hardware. This means that in order to do their jobs the drivers must go through context switches which are very expensive in terms of performance.

This reminds me of the problems that Microsoft was faced with while WinNT was at version 3. The graphics driver was run at the most protected level with dismal performance. MS quickly reacted with a graphics driver that to accessed the hardware directly. If I remember well this was at version 3.51!

While Apple’s way presents no problems for relatively slow data streams (like audio data)., this is a no-no for hardware requiring high throughput (like Fiber Channel). I use ATTO hardware to feed my tape drives. ATTO’s business is mainly Windows servers. We’ll see if Apple can negotiate with ATTO old style kernel extensions for ATTO PCIe cards which would be inextricably part of macOS…

LikeLiked by 2 people
- 14
  
  hoakley on July 2, 2023 at 8:14 pm
  
  Thank you.
  Other than Mac Pro models, which are specialist, the fastest external bus available from any Mac is Thunderbolt 3, which at up to 32 Gb/s is ample for the great majority of devices that Mac users might wish to connect to their Macs. Apple silicon Macs cope fine with unprivileged access to such devices over TB3, and there’s absolutely no need for privileged drivers. Sure, you can’t exceed around 3 GB/s in one direction, but as that’s the bus limit anyway, your hardware can’t whatever driver you try.
  Howard.
  
  LikeLiked by 1 person
  - 15
    
    alberic on July 3, 2023 at 1:23 pm
    
    I have an Mac Pro 2019 -:) I checked the latest version of the ATTO H1244 GT SAS PCIe card. While the driver supports both Intel & Apple Silicon, it is still an “old” style kext.
    
    LikeLiked by 1 person
    - 16
      
      hoakley on July 3, 2023 at 6:22 pm
      
      Lucky you! And I’m happy for you that you’ve found that support.
      I don’t think that Apple intends dropping kexts on Intel Macs. What they’ll do for Apple silicon Mac Pros, I don’t know.
      Howard.
      
      LikeLiked by 1 person
17

John Gilbert on July 2, 2023 at 10:17 am

Two other kexts widely used are Intel EnergyDriver and SATSMARTDriver.

Like SoftRAID, it was never likely that these could be replaced with System Extensions. In my view, Apple should long ago have incorporated both into the kernel and just exposed what was needed for normal apps to access data. This could never have been threatening as app access would be read only.

LikeLiked by 2 people
- 18
  
  hoakley on July 2, 2023 at 8:16 pm
  
  “Two other kexts widely used are Intel EnergyDriver and SATSMARTDriver.”
  Well, I’m with you on SATSMART, although I don’t see why that couldn’t be implemented as modern driver rather than a kext. Given that this is all about Apple silicon Macs, I can’t think what you’d want Intel Energy Driver for there. Or am I missing something?
  Howard.
  
  LikeLike
19

Ingo on July 2, 2023 at 11:05 am

Are you aware that the Platform Security Guide got an update in December 2022 though it still says “May 2022” on the first page? According to the document history only the chapter about iCloud got an update. The number of pages has been reduced though I don’t think that anything has been removed. It’s just that the formatting of the whole document has been changed.

LikeLiked by 1 person
- 20
  
  hoakley on July 2, 2023 at 8:22 pm
  
  Thank you.
  Yes, Apple does update some sections in between its annual major rewrites. As this is about kernel extensions and Secure Boot, I’m not sure how that’s relevant: the guide is well overdue that annual rewrite, and isn’t even up to date with respect to Ventura, let alone Sonoma. Its coverage of XProtect Remediator is woefully out of date too, dating from May 2022 when XPR was at version 2 and han’t even been fully implemented.
  I hope this isn’t another wonderful tool that is going to be left to wither on the vine.
  Howard.
  
  LikeLike
21

Enzo Vincenzo on July 2, 2023 at 11:06 am

@John Gilbert wrote “… This could never have been threatening as app access would be read only.”
Exactly Gilbert! You said the right thing! Apple once was incorporate many Kexts (drivers) into Mac OS X that made Macs more universal than Windows in the Plug&Play. And it was always a pleasure to work with a Mac without fear of incompatibilities.

LikeLiked by 1 person
- 22
  
  hoakley on July 2, 2023 at 8:24 pm
  
  macOS currently ships with over 590 kernel extensions, without which nothing would work. But there should be no need for kernel extensions written by third-party developers, which is the whole aim of Secure Boot on Apple silicon.
  Howard.
  
  LikeLiked by 1 person
23

Jeff Johnson on July 2, 2023 at 11:43 am

To clarify misconceptions, as a former Rogue Amoeba engineer: ACE is not a “system extension”. That’s more or less a lie by Apple. ACE is a Core Audio plug-in, installed in /Library/Audio/Plug-Ins/HAL, and this was true even before Apple silicon existed. Rogue Amoeba used a kernel extension in the distant past, but this hasn’t been the case for many years (off the top of my head, since OS X 10.8 or thereabouts?).

LikeLiked by 2 people
- 24
  
  hoakley on July 2, 2023 at 11:54 am
  
  Thank you, Jeff. This then begs the question as to why it needs to be authorised as a kext?
  Howard
  
  LikeLiked by 1 person
  - 25
    
    Jeff Johnson on July 2, 2023 at 12:07 pm
    
    Lord knows. But the elephant in the room is that Apple runs a paid streaming Music service.
    
    LikeLiked by 2 people
    - 26
      
      hoakley on July 2, 2023 at 12:48 pm
      
      A service with a very high privilege level indeed.
      Howard
      
      LikeLiked by 1 person
  - 27
    
    Enzo Vincenzo on July 2, 2023 at 2:35 pm
    
    Waiting for the reply from Eng. Jeff, I’ll tell you more about my experience and say that in my opinion Apple should definitely check everything that starts on startup including 3rd party audio plug-ins that almost everyone forgets to get removed (including the 1st level Apple Support …) when providing help to Users with startup problems…
    I have already written that I had a serious problem with an audio Plug-In which (as if it had been a Kext placed in /Library/Extensions) caused me some absurd and inexplicable problems; to the point that I was about to format and install macOS from scratch.
    I add, now, that the issues consisted in the disappearance of the menu bar and in the absurd and inaccurate responses of the keyboard…
    So, by logging in in Safe Mode and after removing everything from /Library/Extensions/, from /Agents, from /Daemons and everything else that started at Login, Java Plug-In included, etc., finally I had the enlightenment to remove the audio Plug-Ins as well.
    Only then did I find out that the cause of everything was the ”BOOM 3D” Plug-In which I hadn’t updated yet the App to the last version.
    
    LikeLiked by 1 person
28

Brian Parker on July 4, 2023 at 6:30 pm

I have applied the alternative ACE consent via spctl as pointed out by sclsjoy and I am delighted to see SilentKnight report full Platform Security. I suppose Rogue Ameoba must consider this method more prone to error but it was simple enough and better than making a security compromise. Thanks to Howard and the commenters for shedding light on this annoying situation and Jeff Johnson’s comments in particular for flagging up the most likely reason behind this foolishness.

LikeLiked by 1 person
- 29
  
  hoakley on July 4, 2023 at 7:51 pm
  
  Thank you.
  Howard.
  
  LikeLike