MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,231
16,064


Apple today shared an updated version of its Platform Security Guide [PDF], providing a comprehensive overview of the latest security advancements across iOS 14, iPadOS 14, macOS Big Sur, tvOS 14, watchOS 7, and more.

apple-devices-mac-iphone-ipad-watch-collage.jpg

For example, the guide provides security details about Safari's optional Password Monitoring feature on iOS 14 and macOS Big Sur, which automatically keeps an eye out for any saved passwords that may have been involved in a data breach. Apple also outlines the security of its new digital car keys feature on the iPhone and Apple Watch.

Apple updated its "commitment to security" preamble, touting the security advantages of Apple-designed chips across the iPhone, iPad, Apple Watch, and Mac:
Apple continues to push the boundaries of what's possible in security and privacy. This year Apple devices with Apple SoC's across the product lineup from Apple Watch to iPhone and iPad, and now Mac, utilize custom silicon to power not only efficient computation, but also security. Apple silicon forms the foundation for secure boot, Touch ID and Face ID, and Data Protection, as well as system integrity features never before featured on the Mac including Kernel Integrity Protection, Pointer Authentication Codes, and Fast Permission Restrictions. These integrity features help prevent common attack techniques that target memory, manipulate instructions, and use javascript on the web. They combine to help make sure that even if attacker code somehow executes, the damage it can do is dramatically reduced.
New sections have been added for Macs with Apple silicon, outlining the security of the boot process, boot modes, startup disk, Rosetta 2 translation process for running Intel-based Mac apps, FileVault, Activation Lock, and more.

As expected, the guide confirms that kernel extensions will not be supported on future Macs with Apple silicon (emphasis ours):
In addition to enabling users to run older versions of macOS, Reduced Security is required for other actions that can put a user's system security at risk, such as introducing third-party kernel extensions (kexts). Kexts have the same privileges as the kernel, and thus any vulnerabilities in third-party kexts can lead to full operating system compromise. This is why developers are being strongly encouraged to adopt system extensions before kext support is removed from macOS for future Mac computers with Apple silicon.
macOS Catalina was the last version of macOS to fully support kernel extensions. Apple says kernel extensions are no longer recommended for macOS, noting that they pose a risk to the integrity and reliability of the operating system.

Starting with macOS Catalina, developers have been able to use system extensions that run in user space rather than at the kernel level. System extensions running in user space are granted only the privileges necessary to perform their specified function, which increases the stability and security of macOS, according to Apple.

Apple includes a document revision history section in the Platform Security Guide with a list of all new and updated information.

Apple also has a new Security Certifications and Compliance Center.

Article Link: Apple Updates Platform Security Guide, Says Kernel Extensions Won't Be Supported on Future Apple Silicon Macs
 
Last edited:

leman

macrumors G5
Oct 14, 2008
14,227
10,205
Anyone surprised by this has not been following macOS development for the last couple of years. Kernel extensions are out, userland drivers are in.

I mean, sure, yes. But also: "Apple continues to reduce the ceiling of what's possible in macOS."

If DriverKit supports enough relevant use cases, I don't see a problem.

Apple is inching MacOS to full Mach, which would be awesome... killing kernel extensions before having third-party GPU support will be interesting. What is old is new again https://en.wikipedia.org/wiki/MkLinux

There won't be any third party GPU support on Apple Silicon. Why would Apple sabotage the developer and user experience ecosystem they have been painstakingly bulding?

VirtualBox

Made irrelevant by the new virtualization framework. Parallels Preview runs on M1 without any kernel extensions.
 
Comment

ArPe

macrumors 65816
May 31, 2020
1,281
3,302
Yes I hate kexts. Driver should be built into apps ideally so I never have to download a driver again. Best example is Vuescan that just adds and adds and adds more scanners.
 
  • Like
Reactions: Captain Trips
Comment

Okasian

macrumors regular
Sep 27, 2017
150
294
What are some examples of programs that use kexts?

Not user-space programs per-se, but more fundamental protocols like iSCSI and third party iSCSI initiators (SMB/AFP at the disk level, not file level) won’t be supported anymore. (You cant format a SMB share with APFS for example.)

With kernel-space iSCSI, you can do things like having a constantly connected virtual hard disk, which is handy for iTunes, Lightroom, Plex and other use cases which require a lot of storage on a hard-drive-like /dev/ to ‘act like’ it’s physically present (constant TCP connection to disk, so always ON.) (Lightroom/iTunes doesn’t allow storage of huge catalogs/media over file-space - SMB/AFP - without symlink trickery for example, whereas you can buy a 10TB HD with a NAS and emulate 10TBs local storage over Windows, Elementary, other non-regressive UNIX-based OS's, handy for huge Final Cut projects without having a physical SSD attached etc.)
 

Attachments

  • not-there.PNG
    not-there.PNG
    11.5 KB · Views: 59
Last edited:
Comment

Phil A.

Moderator
Staff member
Apr 2, 2006
5,709
2,864
Shropshire, UK
Not user-space programs per-se, but more fundamental protocols like iSCSI and third party iSCSI initiators (SMB/AFP at the disk level, not file level) won’t be supported anymore. (You cant format a SMB share with APFS for example.)

You can do things like having a constantly connected virtual hard disk, which is handy for iTunes, Lightroom, Plex and other use cases which require a lot of storage on a hard-drive-like /dev/ to ‘act like’ it’s physically present (constant TCP connection to disk, so always ON.) (Lightroom/iTunes doesn’t allow storage of huge catalogs/media over network without symlink trickery for example, whereas you can buy a 10TB HD with a NAS and emulate 10TBs local storage over Windows, Elementary, other non-regressive UNIX-based OS's, handy for huge Final Cut projects without having a physical SSD attached etc.)

I have always found iSCSI very useful to connect to my synology NAS and the lack of a built in iSCSI initiator is a glaring omission for me.

Before Big Sur, I used the globalSan one.

With Big Sur, the writing has been clearly put on the wall and you have to jump through hoops to get it to work (plus it will kernel panic your machine if you shut down without ejecting the targets first)

As this is the only third party kext I use, I reluctantly decided to migrate to using SMB shares where I could and increased my local disk space rather than continue to invest in something that clearly has limited life left.

I continue to keep the somewhat forlorn hope that Apple will step in with a native solution (although I suspect it’s too niche for them)
 
  • Like
Reactions: Okasian
Comment

EvanBatter

macrumors newbie
Aug 1, 2020
18
12
What are some examples of programs that use kexts?

Going through my folder, I only see Logitech and Paragon - I'm sure they'll find workarounds.
A kext is also needed to connect to SMB fileshares from a NAS or Windows-fileserver. This was already broken in early betas of BigSur, was later fixed in the release and is now in the last two betas broken again. Seems they try to find an alternative solution for that. Hope they will not discard it.
 
  • Like
Reactions: DonInHtown
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.