Tuesday, May 14, 2019 [Tweets] [Favorites]

macOS 10.14.5 Whitelists Kernel Extensions

Howard Oakley:

Until 10.14.5, AppleKextExcludeLList.kext contained one Property List, KnownPanics.plist, which detailed kernel extensions known to Apple to be the cause of kernel panics, thus excluded from loading in Mojave; that hasn’t changed in 10.14.5. That kext now contains a second property list, ExceptionLists.plist, which is a long dictionary of “secure timestamp exceptions”.

Each entry consists of a string of hex digits, which is presumably an identifier or hash, together with the kext ID (such as com.thiscompany.mykext) and its version number. These appear to be an exhaustive list of over 18,000 existing kernel extensions which have been granted exceptions to the notarization requirement.

Previously:

Update (2019-06-03): Howard Oakley:

The man page for spctl hasn’t been updated for over six years, but in 2017 it gained a set of actions to handle kernel extensions and your consent for them to be installed – what Apple terms User Approved or Secure Kernel Extension loading. You should be able to see these if you call spctl with the -h option. These kext-consent commands only work when you’re booted in Recovery mode: they should return errors if you’re running in regular mode.

This appears to unblock kernel extensions which macOS won’t install because they don’t comply with the new rules on notarization, presumably by adding the kernel extension to the new whitelist which was installed as part of the macOS 10.14.5 update. Kernel extensions which are correctly notarized should result in the display of the consent dialog taking the user to Security & Privacy; those which aren’t and don’t appear in the whitelist are simply blocked and not installed now.

2 Comments

the vice is tightening. soon kexts will be forbidden, taking away yet more control of our own computers.

[…] macOS 10.14.5 Whitelists Kernel Extensions […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment