Apple Updates Platform Security Guide, Says Kernel Extensions Won't Be Supported on Future Apple Silicon Macs

[MacRumors]

Apple today shared an updated version of its Platform Security Guide [PDF], providing a comprehensive overview of the latest security advancements across iOS 14, iPadOS 14, macOS Big Sur, tvOS 14, watchOS 7, and more.

For example, the guide provides security details about Safari's optional Password Monitoring feature on iOS 14 and macOS Big Sur, which automatically keeps an eye out for any saved passwords that may have been involved in a data breach. Apple also outlines the security of its new digital car keys feature on the iPhone and Apple Watch.

Apple updated its "commitment to security" preamble, touting the security advantages of Apple-designed chips across the iPhone, iPad, Apple Watch, and Mac:

Apple continues to push the boundaries of what's possible in security and privacy. This year Apple devices with Apple SoC's across the product lineup from Apple Watch to iPhone and iPad, and now Mac, utilize custom silicon to power not only efficient computation, but also security. Apple silicon forms the foundation for secure boot, Touch ID and Face ID, and Data Protection, as well as system integrity features never before featured on the Mac including Kernel Integrity Protection, Pointer Authentication Codes, and Fast Permission Restrictions. These integrity features help prevent common attack techniques that target memory, manipulate instructions, and use javascript on the web. They combine to help make sure that even if attacker code somehow executes, the damage it can do is dramatically reduced.

New sections have been added for Macs with Apple silicon, outlining the security of the boot process, boot modes, startup disk, Rosetta 2 translation process for running Intel-based Mac apps, FileVault, Activation Lock, and more.

As expected, the guide confirms that kernel extensions will not be supported on future Macs with Apple silicon (emphasis ours):

In addition to enabling users to run older versions of macOS, Reduced Security is required for other actions that can put a user's system security at risk, such as introducing third-party kernel extensions (kexts). Kexts have the same privileges as the kernel, and thus any vulnerabilities in third-party kexts can lead to full operating system compromise. This is why developers are being strongly encouraged to adopt system extensions before kext support is removed from macOS for future Mac computers with Apple silicon.

macOS Catalina was the last version of macOS to fully support kernel extensions. Apple says kernel extensions are no longer recommended for macOS, noting that they pose a risk to the integrity and reliability of the operating system.

Starting with macOS Catalina, developers have been able to use system extensions that run in user space rather than at the kernel level. System extensions running in user space are granted only the privileges necessary to perform their specified function, which increases the stability and security of macOS, according to Apple.

Apple includes a document revision history section in the Platform Security Guide with a list of all new and updated information.

Apple also has a new Security Certifications and Compliance Center.

Article Link: Apple Updates Platform Security Guide, Says Kernel Extensions Won't Be Supported on Future Apple Silicon Macs

 

[jrlcopy]

Umm.... that's like a decent amount of professional apps.

 

[seanbperiod]

What are some examples of programs that use kexts?

Going through my folder, I only see Logitech and Paragon - I'm sure they'll find workarounds.

 

[al256]

What are some examples of programs that use kexts?

Webroot is one.

 

[asiga]

At the end, their goal is that MacOS is just iPadOS with Terminal and Xcode.

 

[jameslmoser]

Anyone surprised by this hasn't been paying attention. Apple is transforming Macs into Apple Service Appliances, and allowing you to customize your OS and install stuff from other places than the App store or developer signed Apps doesn't make them any money.

 

[Cosmosent]

Thanks for the Head's Up !

Have downloaded the PDF & will review it in detail as time allows.

 

[Gabebear]

Apple is inching MacOS to full Mach, which would be awesome... killing kernel extensions before having third-party GPU support will be interesting. What is old is new again https://en.wikipedia.org/wiki/MkLinux

 

[Strategia]

What are some examples of programs that use kexts?

VirtualBox

 

[Bluetoot-]

I guess services really are the next level. Kind of sad. I miss tools.

 

[chucker23n1]

"Apple continues to push the boundaries of what's possible in security and privacy."

I mean, sure, yes. But also: "Apple continues to reduce the ceiling of what's possible in macOS."

 

[aednichols]

Herding developers to run app code in userspace instead of the kernel is just a good idea in general.

I've already been avoiding kext-based apps where possible for years.

 

[leman]

Anyone surprised by this has not been following macOS development for the last couple of years. Kernel extensions are out, userland drivers are in.

I mean, sure, yes. But also: "Apple continues to reduce the ceiling of what's possible in macOS."

If DriverKit supports enough relevant use cases, I don't see a problem.

Apple is inching MacOS to full Mach, which would be awesome... killing kernel extensions before having third-party GPU support will be interesting. What is old is new again https://en.wikipedia.org/wiki/MkLinux

There won't be any third party GPU support on Apple Silicon. Why would Apple sabotage the developer and user experience ecosystem they have been painstakingly bulding?

VirtualBox

Made irrelevant by the new virtualization framework. Parallels Preview runs on M1 without any kernel extensions.

 

[ArPe]

Yes I hate kexts. Driver should be built into apps ideally so I never have to download a driver again. Best example is Vuescan that just adds and adds and adds more scanners.

 

[Okasian]

What are some examples of programs that use kexts?

Not user-space programs per-se, but more fundamental protocols like iSCSI and third party iSCSI initiators (SMB/AFP at the disk level, not file level) won’t be supported anymore. (You cant format a SMB share with APFS for example.)

With kernel-space iSCSI, you can do things like having a constantly connected virtual hard disk, which is handy for iTunes, Lightroom, Plex and other use cases which require a lot of storage on a hard-drive-like /dev/ to ‘act like’ it’s physically present (constant TCP connection to disk, so always ON.) (Lightroom/iTunes doesn’t allow storage of huge catalogs/media over file-space - SMB/AFP - without symlink trickery for example, whereas you can buy a 10TB HD with a NAS and emulate 10TBs local storage over Windows, Elementary, other non-regressive UNIX-based OS's, handy for huge Final Cut projects without having a physical SSD attached etc.)

 

[mazz0]

At the end, their goal is that MacOS is just iPadOS with Terminal and Xcode.

Throw in the ability to run VMs and I’m happy with that.

 

[chucker23n1]

If DriverKit supports enough relevant use cases, I don't see a problem.

Well, if "reboot twice" is the new normal for a user experience, anyway.

There won't be any third party GPU support on Apple Silicon.

We'll see.

 

[thedocbwarren]

VirtualBox

We have a built-in hypervisor now, like others, they have to move to use of it instead of their own.

 

[chucker23n1]

Throw in the ability to run VMs and I’m happy with that.

VMs already don't require kernel extensions.

 

[Helmlein]

Webroot is one.

And USB MIDI drivers, e.g. for Roland Instruments (Aerophone, several keyboards). And yes, also Class Compliant ones are affected (can be used through BT though, albeit with more latency)

H.

 

[mazz0]

VMs already don't require kernel extensions.

Yeah, but iPads can’t run ‘em. I’m just saying that’s one thing I’d miss if they made MacoOS more like iPadOS. It was a tongue-in-cheek semi-serious response to that common accusation that MacOS is becoming iPadOS.

 

[lucas]

Great for security, but what are we giving up for this?

 

[tmg2010]

Webroot is one.

Terminal command: kextstat | grep -v com.apple - will tell you what you have running.

 

[Phil A.]

Not user-space programs per-se, but more fundamental protocols like iSCSI and third party iSCSI initiators (SMB/AFP at the disk level, not file level) won’t be supported anymore. (You cant format a SMB share with APFS for example.)

You can do things like having a constantly connected virtual hard disk, which is handy for iTunes, Lightroom, Plex and other use cases which require a lot of storage on a hard-drive-like /dev/ to ‘act like’ it’s physically present (constant TCP connection to disk, so always ON.) (Lightroom/iTunes doesn’t allow storage of huge catalogs/media over network without symlink trickery for example, whereas you can buy a 10TB HD with a NAS and emulate 10TBs local storage over Windows, Elementary, other non-regressive UNIX-based OS's, handy for huge Final Cut projects without having a physical SSD attached etc.)

I have always found iSCSI very useful to connect to my synology NAS and the lack of a built in iSCSI initiator is a glaring omission for me.

Before Big Sur, I used the globalSan one.

With Big Sur, the writing has been clearly put on the wall and you have to jump through hoops to get it to work (plus it will kernel panic your machine if you shut down without ejecting the targets first)

As this is the only third party kext I use, I reluctantly decided to migrate to using SMB shares where I could and increased my local disk space rather than continue to invest in something that clearly has limited life left.

I continue to keep the somewhat forlorn hope that Apple will step in with a native solution (although I suspect it’s too niche for them)

 

[EvanBatter]

What are some examples of programs that use kexts?

Going through my folder, I only see Logitech and Paragon - I'm sure they'll find workarounds.

A kext is also needed to connect to SMB fileshares from a NAS or Windows-fileserver. This was already broken in early betas of BigSur, was later fixed in the release and is now in the last two betas broken again. Seems they try to find an alternative solution for that. Hope they will not discard it.