Secure Kernel Extension Loading in macOS High Sierra

0x00 Background

Reference:
Technical Note TN2459: Secure Kernel Extension Loading

In macOS High Sierra, Apple introduced Secure Kernel Extension Loading (aka Kext User Consent) feature to require user confirmation before loading a signed kext.
Note that this restriction only apply to valid signed kexts. Unsigned kexts would be taken care of by kext signing checking in System Integrity Protection. And if kext signing checking is disabled, the kext user consent feature will also be turned off.

For the configuration of this feature, as described in the tech notes, begin with 10.13 Dev Beta 3/Public Beta 2, spctl tool can be used in Recovery environment to modify kext user consent settings:

0x01 Take a look at spctl

Behind the scenes, modify kext user consent setting by spctl would change the SIP configuration, which is persisted by writing into NVRAM (csr-active-config/csr-data).

The newly added CSR flag can be used to disable/enable kext consent feature:

As for add/remove/list team-id feature provided by spctl, csr-data comes to the party in this case:

This list acts as a whitelist for all allowed team-ids, which could be preset for enterprise use.

And apparently, spctl also got the com.apple.private.iokit.nvram-csr entitlement as csrutil:

0x02 Going deeper

If spctl is still not good enough for you, just play with the newly added kext policy database.

-> List user approved kexts:

-> Check approved kexts load history:

By default, the kext policy database is read-only for normal boot due to filesystem protection in SIP. In order to make changes, turn off the filesystem protection first:

Or, just modify the database directly in Recovery OS.

-> Remove certain team-id. Kext signed with it would require user consent again next time:

…even a plist for allowed codeless kexts? LoL.

Leave a Reply

Your email address will not be published. Required fields are marked *