On modern systems all KEXTs must be code signed with a Developer ID. Additionally, the Developer ID must be specifically enabled for KEXT development. You can learn more about that process on the Developer ID page. If your KEXT is having code signing problems, check that it’s signed with a KEXT-enabled Developer ID. Do this by looking at the certificate used to sign the KEXT. First, extract the certificates from the signed KEXT: % codesign -d --extract-certificates MyKEXT.kext Executable=/Users/quinn/Desktop/MyKEXT/build/Debug/MyKEXT.kext/Contents/MacOS/MyKEXT This creates a bunch of certificates of the form codesignNNN, where NNN is a number in the range from 0 (the leaf) to N (the root). For example: % ls -lh codesign* -rw-r--r--+ 1 quinn staff 1.4K 20 Jul 10:23 codesign0 -rw-r--r--+ 1 quinn staff 1.0K 20 Jul 10:23 codesign1 -rw-r--r--+ 1 quinn staff 1.2K 20 Jul 10:23 codesign2 Next, rename each of those certificates to include the .cer extension: % for i in codesign*; do mv $i $i.cer; done Finally, look at the leaf certificate (codesign0.cer) to see if it has an extension with the OID 1.2.840.113635.100.6.1.18. The easiest way to view the certificate is to use Quick Look in Finder. Note If you’re curious where these Apple-specific OIDs comes from, check out the documents on the Apple PKI page. In this specific case, look at section 4.11.3 Application and Kernel Extension Code Signing Certificates of the Developer ID CPS. If the certificate does have this extension, there’s some other problems with your KEXT’s code signing. In that case, feel free to create a new thread here on DevForums with your details. If the certificate does not have this extension, there are two possible causes: Xcode might be using an out-of-date signing certificate. Re-create your Developer ID signing certificate using the developer site and see if the extension shows up there. If so, you’ll have to investigate why Xcode is not using the most up-to-date signing certificate. If a freshly-created Developer ID signing certificate does not have this extension, you need to apply to get your Developer ID enabled for KEXT development per the instructions on the Developer ID page. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Change history: 20 Jul 2016 — First published. 28 Mar 2019 — Added a link to the Apple PKI site. Other, minor changes. 15 Mar 2022 — Fixed the formatting. Updated the section number in the Developer ID CPS. Made other minor editorial changes.

HI devs, help me please, i want to debug Big Sur kernel on inter-based macbook from Monterey on m1, i have installed KDK_11.6.4_20G417.kdk in Monterey system on m1 macmini, then launch lldb, have created target and got this message : WARNING! Python version 3 is not supported for xnu lldbmacros. (lldb) target create /Library/Developer/KDKs/KDK_11.6.4_20G417.kdk/System/Library/Kernels/kernel warning: 'kernel' contains a debug script. To run this script in this debug session:   command script import "/Library/Developer/KDKs/KDK_11.6.4_20G417.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/Python/kernel.py" To run all discovered debug scripts in this session:   settings set target.load-script-from-symbol-file true Current executable set to '/Library/Developer/KDKs/KDK_11.6.4_20G417.kdk/System/Library/Kernels/kernel' (x86_64). (lldb) settings set target.load-script-from-symbol-file true ############################## WARNING! Python version 3 is not supported for xnu lldbmacros. Please restart your debugging session with the following workaround defaults write com.apple.dt.lldb DefaultPythonVersion 2 ############################## Loading kernel debugging from /Library/Developer/KDKs/KDK_11.6.4_20G417.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/Python/kernel.py LLDB version lldb-1300.0.42.3 Swift version 5.5.2-dev settings set target.process.python-os-plugin-path "/Library/Developer/KDKs/KDK_11.6.4_20G417.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/Python/lldbmacros/core/operating_system.py" settings set target.trap-handler-names hndl_allintrs hndl_alltraps trap_from_kernel hndl_double_fault hndl_machine_check _fleh_prefabt _ExceptionVectorsBase _ExceptionVectorsTable _fleh_undef _fleh_dataabt _fleh_irq _fleh_decirq _fleh_fiq_generic _fleh_dec command script import "/Library/Developer/KDKs/KDK_11.6.4_20G417.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/Python/lldbmacros/xnu.py" error: module importing failed: Traceback (most recent call last):  File "<string>", line 1, in <module>  File "/Library/Developer/KDKs/KDK_11.6.4_20G417.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/Python/lldbmacros/xnu.py", line 123   print "Execution interrupted by user"      ^ SyntaxError: Missing parentheses in call to 'print'. Did you mean print("Execution interrupted by user")? settings set target.process.optimization-warnings false How can i solve this problem? lldb linked with python 3, but kdk uses python 2, also command line tools version 12.5.1 which uses python 2 i can not install on monterey too.

Hi. my friends iphone is in a constant loop ive looked into some of the stuff about panic codes just wondering if someone could tell me the best way to fix it

I'v used command sudo kextutil -v /Library/Extensions/mykext but got error: Error Domain=KMErrorDomain Code=71 "Kernel request failed: (libkern/kext) not loadable (reason unspecified) (-603946989)" UserInfo={NSLocalizedDescription=Kernel request failed: (libkern/kext) not loadable (reason unspecified) (-603946989)} and SIP is disabled mac@bogon ~ % csrutil status System Integrity Protection status: disabled. maybe, reset nvram is effective. is there anyone have known how to resolve it by other way?

Hello We have a USB camera. My Mac can recognize it and we can get frames with any software. There is a physical button on it and the vendor says the camera is UVC-compliant. But button doesn't work anyway. I captured some USB traffic data and saw that it has two interfaces. One for streaming and other one for interrupting (like button click). I read UVC 1.5 standards to understand it and it is working like written in UVC 1.5. So, I can get a data with an interrupt transfer when clicking the button. I checked these two interfaces, they use UVCAssistant for driver(System Extension). I tried to use libusb, I can get data from button click. But for frames I had to use libuvc, but it wasn't work for my camera (I think it is related with USB descriptor parsing in libuvc). I thought that I should write a driver for single interface and so second interface will use same UVC assistant driver and first interface will use my driver. I wrote a driver and it matches with first interface. But second interface is empty (unhandled by any driver). I want to load UVCAssistant for second interface of USB port. How can I do this? Output before loading my driver After loading: IOKitPersonalities that I used:

I want to develop an APP and verify the performance based on page cache is cleared and clean. In Linux, the command "echo 3 &gt; /proc/sys/vm/drop_caches" can be applied. And in MacOS, the command "sync &amp;&amp; sudo purge" can be applied. But both the commands cannot be applied to iOS. Whether any expert know the clear page cache command in iOS? Thanks.

Now more than ever, it would really help if it were S.O.P. for Apple was to simultaneously release each KDK with each system update. System volume sealing makes the work-arounds for missing KDKs quite painful.

Hi, I'm developing firmware for a USB audio device for which audio playback currently cuts off after about a second. The normal system logs via Console do not seem to throw any error related to USB audio (and nor do kernel-only logs via log stream --process 0). Is there a good way to dive deeper into what might be happening? Looking into the AppleUSBAudio driver, it contains a bunch of verbose "USB Sound assertion (%s) in %s at line %d\n" logs via IOLog(). Are they supposed to end up in the system logs under normal conditions, or does this require setting IOKit debug verbosity in boot-args? New to debugging Mac OS kernel things.. thanks for helping!

Not really a question. As part of porting other platform code, FreeBSD and Linux, there is a #define macro used to specify module parameters. It is desirable for these new sysctl to show automatically when "upstream" adds them. (without having to manually maintain a list) This is usually done with "Linker Sets" but they are not available in kexts, mostly due to __mh_execute_header. I took a different approach with: #define ZFS_MODULE_PARAM(scope_prefix, name_prefix, name, type, perm, desc) \ SYSCTL_DECL( _kstat_zfs_darwin_tunable_ ## scope_prefix); \ SYSCTL_##type( _kstat_zfs_darwin_tunable_ ## scope_prefix, OID_AUTO, name, perm, \ &name_prefix ## name, 0, desc) ; \ __attribute__((constructor)) void \ _zcnst_sysctl__kstat_zfs_darwin_tunable_ ## scope_prefix ## _ ## name (void) \ { \ sysctl_register_oid(&sysctl__kstat_zfs_darwin_tunable_ ## scope_prefix ## _ ## name ); \ } \ __attribute__((destructor)) void \ _zdest_sysctl__kstat_zfs_darwin_tunable_ ## scope_prefix ## _ ## name (void) \ { \ sysctl_unregister_oid(&sysctl__kstat_zfs_darwin_tunable_ ## scope_prefix ## _ ## name ); \ } Ie, when macro is used, I use __attribute__((constructor)) on a function named after the sysctl, which is then called automatically on kext load, and each one of those functions, call sysctl_register_oid(). And likewise for destructor / unregister. So far it works quite well. Any known drawbacks? I've not tested it on M1.

I've received details from Dropbox, and I'm waiting for confirmation from Microsoft, that Apple is deprecating some kernel extensions in the upcoming release of macOS. My understanding is that the change is likely to cuase problems with online files stored within OneDrive and Dropbox. I'm trying to get an idea about the timing of the release of macOS 12.3 and updates from Microsoft and Dropbox. Dropbox have indicated that their Beta application update will be available at the end of March 2022—so, depending upon timing this may or may not be an issue. I work within Higher Education in Australasia and trying to work out the possible impact in order to provide advice to the sector. Any information about the change, and likely impact would be welcomed.

Having a peculiar issue trying to support the use of O_EXCL. (Fail if O_CREAT and file exists). It will fail the first time, then if the call is repeated, it works as expected. It is not entirely clear how macOS should handle O_EXCL, it has been mentioned that vnop_create() should always return EEXIST - does that mean even in the success case, it should return EEXIST instead of 0? That seems odd. Output of test program is: # (1) Create the file with (O_WRONLY|O_CREAT). open okay write okay close okay 86 -rw-r----- 1 501 0 29 Jan 12 17:08 /Volumes/BOOM/teest.out Deleting /Volumes/BOOM/teest.out # (2) Try creating with (O_WRONLY|O_CREAT|O_EXCL). writef: Stale NFS file handle 436207628 87 ---------- 1 501 wheel 0 0 "Jul 9 07:53:53 2037" "Jan 12 17:09:02 2022" "Jan 12 17:09:02 2022" "Jan 1 09:00:00 1970" 1048576 0 0 /Volumes/BOOM/teest.out So, since the file is deleted in between the tests, O_EXCL shouldn't really kick in here, and yet, something goes wrong. The nfs server sends ESTALE to the nfs client. The dtrace stack is: Stack: kernel.development`nfsrv_setattr+0x7c6 kernel.development`nfssvc_nfsd+0xbdc kernel.development`nfssvc+0x106 kernel.development`unix_syscall64+0x2ba kernel.development`hndl_unix_scall64+0x16 Result: 0 259014 nfsrv_setattr: entry 0 259014 mac_vnode_check_open:entry 0 259015 hook_vnode_check_open:return 2 nfsd 0 259015 mac_vnode_check_open:return 2 nfsd 0 229396 nfsrv_rephead:entry 0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 46 00 00 00 F... So, nfssrv_setattr() replies with 0x46/70 (ESTALE) seemingly because the call hook_vnode_check_open() returns 2 (ENOENT). Why though, the file was removed, I verified the cache has no entry. Then created again, confirmed it IS in the cache. <zfs`zfs_vnop_remove (zfs_vnops_osx.c:1700)> zfs_vnop_remove error 0: checking cache: NOTFOUND <zfs`zfs_vnop_create (zfs_vnops_osx.c:1427)> *** zfs_vnop_create: with 1: EXCL <zfs`zfs_create (zfs_vnops_os.c:660)> zfs_create: zp is here 0x0 <zfs`zfs_vnop_create (zfs_vnops_osx.c:1458)> ** zfs_vnop_create created id 82 <zfs`zfs_vnop_create (zfs_vnops_osx.c:1475)> zfs_vnop_create error -1: checking cache: FOUND I am having issues finding where the code for hook_vnode_check_open comes from anyway? The failure call in nfs server is: if (!error && mac_vnode_check_open(ctx, vp, FREAD | FWRITE)) { error = ESTALE; } So uh, why? If I let the test run again, this time the file exists, it returns EEXIST as expected. If I run the first test twice, ie, without O_EXCL, both work. So it seems to only go wrong with O_EXCL, and file doesn't exist. It is curious as to why nfs server figures out that exclusive is set, then clears va_mode? case NFS_CREATE_EXCLUSIVE: exclusive_flag = 1; if (vp == NULL) { VATTR_SET(vap, va_mode, 0); But doesn't use exclusive_flag until after calling VNOP_CREATE(), and it doesn't pass it either.

I have implmented the IOMedia Filter driver without content hint for MAC OS Mojave. The driver gets loaded successfully for the IOMedia objects with IOPropertyMatch as "Whole". I could filter the IO requests at the disk layer successfully. This works very well for RAW and formatted disk. The disk I am using here is external SSD device attached to MAC laptop using Thunderbolt-3 interface. I see the driver is getting loaded when I plug-in the TB3 cable. In this case the driver is able to filter the IO requests. If the disk is formatted with the HFS+ Filesystem then I see the filesystem content too. I am facing an issue when I keep plug-in the TB3 cable and reboot the laptop. I have kept the kext files in "/System/Library/Extensions" directory. There are two scenarios to consider, either disk is RAW or Formatted with the HFS+ Filesystem. The scenario 1 is working as expected, but in second scenario the driver is not able to detect the disk. Scenario 1: RAW Disk (Working well) Attached RAW disk through TB3 cable to laptop Reboot the laptop I see the driver is loaded and filter the IO requests successfully. Scenario 2: Disk formatted with HFS+ Filesystem (Failed to load driver) Attached HFS+ Filesystem disk through TB3 cable to laptop Reboot the laptop I see the driver failed to detect the disk &lt;&lt;&lt;=== FAILED But MAC OS detected the HFS+ filesystem on the disk In Scenario 2, after reboot the filter driver seems to be getting loaded, but not able to detect the disk. It seems the MAC OS FS driver is detecting formatted disk before the filter driver. But if I plug-out the disk and plug-in again, I see the filter driver detects disk and start filtering IO requests. I think this could be because of driver loading order during boot time, but I am not sure. The filter driver should detect the disk before MAC OS FS driver detect the formatted disk. Thats the reason may be the filter driver failed to detect the disk after reboot. I am out of ideas what can be done to resolve this issue. Do you think it is driver load order issue? How can we manage the driver load order in MAC OS? Can anybody please help me to resolve this issue? Thanks in advance.

Hi, I'm trying to get a legacy software to work on an M1 MBP / Monterey. Unfortunately the app hasn't been updated since late 2018 and the developer has gone dark, no replies via support, many people tried. The app (Controllermate) is a vital part of my workflow, so I really need this to work. I am unable to approve kernel extensions in the System Prefs / Sec+Priv / General tab. Other apps show up there, but this one doesn't. I went through he whole Recovery mode / reduced security routine, but still nothing. I'm not a developer, more of a power-user, so I'm asking for help here: Is there any chance to get this to work without updating the software? Any advice is highly appreciated! Thank you!

What are the recommended steps for non-interactively testing kexts on Big Sur/Monterey? Our CI pipeline deploys our in-development kexts to a macOS system and then runs tests on them without human intervention. This worked fine through 10.15, but with the latest 11.x and 12.x I cannot find any way to get around having to click "Allow" next to "System software from developer has been updated" in Security & Privacy. I thought perhaps this was a difference between notarized and non-notarized kexts, but even released versions of our kexts that are notarized experience the same problem. SIP is completely disabled, kext-consent is disabled, and our Team ID has been added to the kext-consent list. None of these seems sufficient to avoid having to click the Allow button. Is there any way (short of MDM, which is very heavyweight for this use case) to avoid kext consent during testing?

Hi, I would like to know if there is another way to implement when inserting data before the read/write system call when SIP is turned on. I've tried Endpoint Security, but it only receives notifications of read/write operations and does not allow me to insert the data I want before reading/writing. (I first did this in kext via kauth_listen_scope, but it's been disabled since 10.15.) Can anyone point me in the right direction? I'd appreciate it so much!

I am researching the drivers in macOS. Apple Developer lists that the Default Drivers are ApplePlatformExpert, IODTPlatformExpert, IOPlatformExpert, and the Apple Drivers are IODTNVRAM, AppleMacIO, AppleMacIODevice, AppleNMI. What are these drivers and how are they different?