The following information is a developer must read – bad news for hackintosh users – and good news for (future) Mac users. Keeping the bad guys out… to help protect you and your hardware. The side effect is that it might stop people, eventually, from using the latest and greatest
aka OS X 10.9 Mavericks on a hack (didn’t happen in the 10.9 GM but it may still happen in 10.10). Well. Until someone comes up with another great hack of course.
Protecting the kernel
- OS X 10.9 code signing verification for kexts
- OS X 10.9 all kexts signatures are verified
- OS X 10.9 unsigned or invalid signatures are non fatal (with one* exception)
- OS X 10.9 Signed kexts will not load on releases prior to OS X 10.8
- Valid code signatures will eventually be mandatory for all kexts
- Use kextutil -tn to verify your kext
- OS X 10.9 auto-load, on-demand load by CFBundleIdentifier, and kernel cache build
- Searches in /System/Library/Extensions and /Library/Extensions
- Must code sign* kexts in /Library/Extensions
Where we want your kexts installed
- Auto-load kexts required for rooting, or auto-searching ofkexts
- OS X 10.9, /Library/Extensions MUST be signed!
- OS X 10.9, /Systems/Library/Extensions (for compatibility)
- OS X 10.9 and earlier, install unsigned kexts in /System/Library/Extensions
- All other kexts
- Signed kexts CAN go into: /Library/Extensions
- Do not install anywhere in /System (locked in the
- Other common locations still OK
- New with OS X 10.9, certificate for signing applications and kexts
In OS X 10.9
- Kexts in /Library/Extensions will NOT load if they are unsigned or have a signature verification error
- Users will see the “no load” alert dialog (need to OK it)
- Kexts outside /Library/Extensions will load if they are unsigned or have a signature verification error
- But users will see this – rather annoying – dialog
- Code signature verification warnings and error messages
- Most common code signature verification error codes
- -67030: something in kext bundle was modified
- -67062: kext is not signed
- Code signing error codes are in Security.framework:
- #include <Security/CSCommon.h>
Example after modified Info.plist:
com.apple.kextd: WARNING – Invalid signature -67030 for kext URL = “file:///Users/local/AppleSamplePCI.kext/”, ID – “com.example.apple-samplecode.driver.SamplePCI”
All kernel extensions in: /Library/Extensions must be signed and unsigned or otherwise invalid kexts in: /System/Library/Extensions will trigger an annoying dialog.
Apple also said that the /System directory will be locked in the future, but didn’t mention when or in which version of OS X that would be done. We just have to wait and see when it happens, but if this is introduced (in whatever OS version that may be) then we are locked out and that means that editing plists and/or patching bin (executable) files of signed kexts will be impossible, and since there are plenty kexts that need a binary and/or plist patch… you soon get the picture.
Source: Apple WWDC session video (707) and PDF.
Edit: Example of “Kernel extensions are not from identified developers” added.
Edit 2: Source added. Part about the locking of the /System directory reworded, this because it is unclear in which version of OS X it will be locked down.
Edit 3: Reworded a sentence that stated that people would be unable to use OS X 10.9 Mavericks on their hack. Sorry folks. I had no idea that this was still there. Should have been changed a long time ago, but I forgot about it.
Thanks to joe75 for the heads up!