How Kernel Prelinking Works on macOS Catalina (or Not)
The kernel is the first component of the operating system to start. It has no other tools available. In particular there is no way to check code signatures, and all file system access is very hard at this point. Apple therefore decided to prelink the bare kernel with all kernel extensions every time the kernel or one of the extensions is updated, and to start only that prelinked kernel at boot time.
[…]
Since the prelinked kernel is on a read-only volume, it cannot be updated directly. Apple had to conceive a new mechanism for updates.
[…]
When you reboot or shut down your machine,
launchd
stops all processes. Then it remounts the system volume in read/write mode. This is possible becauselaunchd
has the entitlementcom.apple.private.apfs.mount-root-writeable-at-shutdown
. Then it runs/var/install/shove_kernels
to copy the new kernel.
But apparently this doesn’t actually work. So to update a kernel extension you need to disable System Integrity Protection or manually trigger a kernel update after booting into macOS Recovery.