Technical Note TN2459

Secure Kernel Extension Loading

macOS High Sierra introduces a new feature that requires user approval before loading new third-party kernel extensions. This feature will require changes to some apps and installers in order to preserve the desired user experience. This technote is for developers who ship kernel extensions to users and system administrators who need to install kernel extensions.

Introduction
In Depth Explanation
Effects on Enterprise App Distribution
Document Revision History

Introduction

macOS High Sierra 10.13 introduces a new feature that requires user approval before loading newly-installed third-party kernel extensions. Third-party kernel extensions (KEXTs) that were already present when upgrading to macOS High Sierra are granted automatic approval.

When a request is made to load a KEXT that the user has not yet approved, the load request is denied. Apps or installers that treat a KEXT load failure as a hard error will need to be changed to handle this new case.

In Depth Explanation

This feature enforces that only kernel extensions approved by the user will be loaded on a system. When a request is made to load a KEXT that the user has not yet approved, the load request is denied and macOS presents the alert shown in Figure 1.

Figure 1  Blocked kernel extension

This prompts the user to approve the KEXT in System Preferences > Security & Privacy as shown in Figure 2.

Figure 2  User approval to load a KEXT

This approval UI is only present in the Security & Privacy preferences pane for 30 minutes after a blocked load attempt.

The alert shows the name of the developer who signed the KEXT so the user has some information to decide whether to approve the KEXT. This name comes from the Subject Common Name field of the Developer ID Application certificate used to sign the KEXT. Because of this, developers are encouraged to provide the appropriate company name when requesting kext signing identities.

When a user provides approval, they are actually approving all other KEXTs signed by the same Team ID found in the same place as the approved KEXT. If the approved KEXT is located in the application's bundle, all other KEXTs signed by the same Team ID in the same application's bundle are also approved.

If the approved KEXT is located in the application's /Library/Application Support sub-directory, or in /Library/Extensions, all other KEXTs signed by the same Team ID found in that same directory are also approved.

Once approved, the KEXT will immediately be loaded or added to the prelinked kernel cache, depending on what action was blocked. Subsequent requests to load the KEXT will proceed silently as on previous macOS versions. Kernel extensions are tracked through the team identifier and designated requirement in their code signatures, so updating a KEXT that has already been approved will not trigger a new approval request.

Installers and applications that load kernel extensions may need to be revised to gracefully handle the kernel extension failing to load. Many products treat a KEXT loading failure as a hard failure. Some prompt the user to reinstall, some present a cryptic error message, and some simply don't function.

Starting with macOS High Sierra, installers and apps that load KEXTs should expect that KEXT loading will fail if the user hasn't approved their KEXT. Instead of treating this as an error, the user should be informed that they may need to approve the KEXT.

To determine if a KEXT has failed to load because it does not have user consent:

Effects on Enterprise App Distribution

For enterprise deployments where it is necessary to distribute software that includes kernel extensions without requiring user approval, boot into macOS Recovery and use the spctl kext-consent command. This command can either disable the user approval requirement completely or specify a list of Team IDs whose KEXTs may be loaded without user approval. For details, run the command spctl help.

The spctl command works in any installation environment, including Recovery OS and from NetBoot/NetInstall/NetRestore images.



Document Revision History


DateNotes
2017-07-12

Updated for macOS High Sierra beta 3.

2017-06-19

New document that describes the secure kernel extension loading feature introduced in macOS High Sierra.