Apple Updates Platform Security Guide, Says Kernel Extensions Won't Be Supported on Future Apple Silicon Macs

[LeadingHeat]

This honestly is great for user security. Having them execute at the user level instead sounds like a compromise but I’d rather have the kernel remain untouched. Plus with the existing APIs developers can utilize, they’ll just have to figure out a different path to their end goal.

 

[Wowfunhappy]

I think forcing PCIDriverKit for all future graphics cards on MacOS could turn out great. Graphic cards have pretty awful drivers in general... they break most of the rules about good software design in search of an extra 1% performance.

Graphics drivers are absolutely buggy as heck, but there's a very good reason we run them in kernel space—low latency is absolutely critical for graphics. If all of that data has to go through the kernel first, it would basically defeat the purpose of having a gpu...

I'm not too concerned about this specific case, though. To my knowledge (and feel free to correct me), there has only ever been one third party GPU driver for macOS—the nVidia Web Drivers—and nVidia has already walked away.

 

[Apple_Robert]

Good that Windows, Linux, other UNIXes, PCs and Raspberry Pi's still exists and comes to the rescue.
Macs are becoming plain stupid consumer low tech computer devices, just like iPhones and iPads.

IF someday Windows, Linux & Co. goes that route too, we'll end with a huge skills shortage crash in the whole industry, but at the same time they will wonder how and why China & Co. leapfrogged.

Maybe people in here wake up some day, when they fully lockdown macOS just like iOS.
Security through obscurity is the right term here, or just pure greediness.

In my opinion, Apple is trying to better secure the Mac. I don't think MR represents the typical Apple user. The general user turns on the Mac and proceeds to do all kind of things that you and I probably wouldn't do. As such, that means their system is at risk for all kinds of filth. And when that occurs, the same people turn to Apple and say fix my mess. This will make it a little easier for Apple to do just that (in a manner of speaking).

 

[Wildkraut]

Fair enough. One more question: if your scenario plays out, why would there be any reason for one to buy an iPad Pro?

Simply because it covers most of the scenarios the masses want.
Just look at iPhone and iPad, okay different sizes, the one can make a call, the other has a pen, but overall same same.
It's for the SaaS(Software as a Service) they mainly care, this is where the real money is, their devices just serves this main purpose, and Macs in their eyes not fully, yet.

Just look around you, or at the ones that uses their iPads, or simply watch for which kind of users their Ads are made.
Photos, Drawing, Writing, Read, Email, Browsing, Smaller Games, Music, a bit of Office and lifestyle things, this covers most usage scenarios, and for all that you will need their Services, a bit of subscription here and there, and you're fine.

Of course you won't need subscribe, but then you will constantly hit a paywall, just like now with the "free" 5GB iCloud for backups. iOS constantly nags you that there is not enough space, till you say okay take the 0.99€ or 2,99€ per month and ****. Or simply look at PhotoStream, it temporally served its purpose, but got kicked out, simply because it didn't serve to reach their SaaS goals, it was holding users from subscribing for more iCloud space.

 

[Wildkraut]

Graphics drivers are absolutely buggy as heck, but there's a very good reason we run them in kernel space—low latency is absolutely critical for graphics. If all of that data has to go through the kernel first, it would basically defeat the purpose of having a gpu...

I'm not too concerned about this specific case, though. To my knowledge (and feel free to correct me), there has only ever been one third party GPU driver for macOS—the nVidia Web Drivers—and nVidia has already walked away.

Forget about NVIDIA and AMD on Macs, with a*good amount luck* we might see a AMD transition for the next 1-3 years, but third party graphics hardware will be cut off.

 

[chucker23n1]

Graphics drivers are absolutely buggy as heck, but there's a very good reason we run them in kernel space—low latency is absolutely critical for graphics. If all of that data has to go through the kernel first, it would basically defeat the purpose of having a gpu...

Windows is actually ahead on this one — Vista introduced WDDM display drivers, which run largely in user mode. A display driver crash will make the window manager briefly revert to a generic driver (with stuff like 3D acceleration disabled) so apps continue to run as the driver tries to relaunch.

So I don't think latency is that much of a concern any more, in any case.

I'm not too concerned about this specific case, though. To my knowledge (and feel free to correct me), there has only ever been one third party GPU driver for macOS—the nVidia Web Drivers—and nVidia has already walked away.

Well, it seems like Apple kind of forced their hand.

 

[star-affinity]

Simply because it covers most of the scenarios the masses want.
Just look at iPhone and iPad, okay different sizes, the one can make a call, the other has a pen, but overall same same.
It's for the SaaS(Software as a Service) they mainly care, this is where the real money is, their devices just serves this main purpose, and Macs in their eyes not fully, yet.

Just look around you, or at the ones that uses their iPads, or simply watch for which kind of users their Ads are made.
Photos, Drawing, Writing, Read, Email, Browsing, Smaller Games, Music, a bit of Office and lifestyle things, this covers most usage scenarios, and for al that you will need their Services, a bit of subscription here and there, and you're fine.

Of course you won't need subscribe, but then you will constantly hit a paywall, just like now with the "free" 5GB iCloud for backups. iOS constantly nags you that there is not enough space, till you say okay take the 0.99€ or 2,99€ per month and ****. Or simply look at PhotoStream, it temporally served its purpose, but got kicked out, simply because it didn't serve to reach their SaaS goals, it was holding users from subscribing for more iCloud space.

Hmm… I'm still using Photo Stream on Big Sur 11.2.1 and iOS 14.4.

I keep hearing that people think the Mac will basically be ”iOS/iPadOS in a desktop coat. I don't think that will happen, at least not in the near term. Apple themselves even tries to be clear about that, but people keeps on going…

macOS Big Sur is still way more capable when it comes to what you can do with it compared to iOS and iPad OS. The security parts that require some extra steps can be a bit cumbersome the first time things has to be approved, but I still think they are there for a good reason. And as long as Apple offers some alternatives so the stuff that was previosly done with Kernel Extensions can be done in other ”approved” ways (such as DriverKit I guess?) I think things will be OK.

Like someone said there's always Windows and Linux to jump over too if things get too restricted.
But I'm not too worried (currently) – I thing Apple is showing that they still want to differentiate the macOS from iOS and iPadOS.

 

[Wildkraut]

In my opinion, Apple is trying to better secure the Mac. I don't think MR represents the typical Apple user. The general user turns on the Mac and proceeds to do all kind of things that you and I probably wouldn't do. As such, that means their system is at risk for all kinds of filth. And when that occurs, the same people turn to Apple and say fix my mess. This will make it a little easier for Apple to do just that (in a manner of speaking).

Well, sure thing that *securing* Macs charms a few people, but the main purpose of it is not securing, it *will be* locking it, securing is just a side effect which they advert as pretext.
Yes, MR does not represent Apples user base, and the day they fully lockdown macOS, few thousand of people will become angry and jump around, including myself, but that's something they will ignore, accept and don't care about, as long it keeps serving their goal of making more and more profit.

 

[Wildkraut]

Hmm… I'm still using Photo Stream on Big Sur 11.2.1 and iOS 14.4.

My Photo Stream

With My Photo Stream, you can access recent photos that you took with your iPhone, iPad, or iPod touch, or that you uploaded from your Mac or PC.

support.apple.com

If you recently created your Apple ID, My Photo Stream might not be available. If My Photo Stream isn't available, use iCloud Photos to keep your photos and videos in iCloud.

It's just a matter of time till they cut existing users off, too.

 

[throAU]

this is a good thing

short term pain but long term apps have no business running in kernel space if there’s and API available to do what they require. And Apple have built it.

if something is running in kernel space it has full ability to completely compromise a machine if exploited.

this is the only way Apple can be fully responsible for and able to secure the OS.

not just Apple either. Every major is vendor will go down this route if security is a priority.

 

[User_E]

Graphics drivers are absolutely buggy as heck, but there's a very good reason we run them in kernel space—low latency is absolutely critical for graphics. If all of that data has to go through the kernel first, it would basically defeat the purpose of having a gpu...

I was going to respond that Windows graphics drivers already run in user space, but chucker23n1 beat me to it.

The overhead of user-mode drivers is much less than you think, especially on modern hardware. Shared memory allows you to transfer data without going through the kernel; you only need to go through the kernel for real-time signaling (unless you're polling in the recipient process, in which case you can avoid the kernel entirely).

The monolithic vs. microkernel performance concerns were relevant in the 90s. They are not relevant anymore. Given the current security landscape, it's well past time to start sandboxing everything in user space.

 

[aidler]

Sad tbh. Future Macs will just be nice and expensive entertainment devices. No serious company could consider using them in a professional or enterprise setting. The risk that Apple changes APIs, services, extensions or disallowes certain applications is too high.

 

[BeatCrazy]

I think the only think I ran into trouble with on my M1 Mac mini was an extension for audio recording from the web as part of SnagIt.

Here are the instructions I needed to do, does this sound like it will no longer be supported? https://rogueamoeba.com/support/knowledgebase/?showArticle=ACE-BigSur

Notes on M Chip Installation​

• The “Reduced Security” setting still provides your Mac with powerful security, only allowing approved Apple operating systems to run.

• Despite the name of this setting, ACE is not a kernel extension. Instead, it's a standard audio plug-in, which receives enhanced privileges to access your system's audio. MacOS 11 simply uses the kernel extension verification system to allow ACE to load as well.

 

[Populus]

I honestly don’t know how does this affect me if, for instance, I use apps from outside the Mac App Store.

 

[Wowfunhappy]

Windows is actually ahead on this one — Vista introduced WDDM display drivers, which run largely in user mode. A display driver crash will make the window manager briefly revert to a generic driver (with stuff like 3D acceleration disabled) so apps continue to run as the driver tries to relaunch.

Windows graphics drivers are still absolutely addressing the kernel though. I don't think it would be possible to do this in the way Apple set up DriverKit.

But, I also think we all agree, this isn't really an issue since there just aren't any third party gpu drivers, nor are there any on the horizon.

I honestly don’t know how does this affect me if, for instance, I use apps from outside the Mac App Store.

It doesn't. If you were using any kernel extensions, you'd probably know about it.

 

[elvisizer]

Sad tbh. Future Macs will just be nice and expensive entertainment devices. No serious company could consider using them in a professional or enterprise setting. The risk that Apple changes APIs, services, extensions or disallowes certain applications is too high.

lolololololol
uhhhh apple has ALWAYS been this way. if you're using apple in a corp env right now I guarantee IT already know- every year with every new OS something's going to change and you're going to have to deal with that.

 

[0924487]

What are some examples of programs that use kexts?

Going through my folder, I only see Logitech and Paragon - I'm sure they'll find workarounds.

Many professional VPN apps with custom drivers use kernel extensions.

 

[Spock]

lolololololol
uhhhh apple has ALWAYS been this way. if you're using apple in a corp env right now I guarantee IT already know- every year with every new OS something's going to change and you're going to have to deal with that.

Yup, every year I get an email right after a new MacOS version is released telling us not to install it yet until it’s been internally tested. God forbid Jamf stops working.

 

[york2600]

What are some examples of programs that use kexts?

Going through my folder, I only see Logitech and Paragon - I'm sure they'll find workarounds.

Any AV scanner or VPN app

 

[jinnj]

Umm.... that's like a decent amount of professional apps.

Just cause Professional Apps have them does not mean it needs them.

 

[jinnj]

Just makes the M1 less useful as far as I'm concerned. Make things too difficult and they are just dropped/ignored. I love the M1 but something as basic as Xbox Controller doesn't work properly. I don't know why Apple has been advertising adding "support" for PS5 and Xbox Controllers when they just don't work even on the Beta where they are "supported".

Windows has a million options to get controllers working on everything. I can't use a controller on Hollow Knight in the DRM Free or Steam versions. Looking online reports of only some buttons working and not others. Just an inconsistent experience. Never had an issue with Windows.

My primary Apple use is in the mobile space. The M1 Air is the second Mac I have ever owned. I don't want to be a troublemaker but in all the years I've been in technology of all types the M1 Air feels a lot like a fancy Chromebook right now. Many things I want to do on it just don't work and I have a Ryzen Windows laptop next to it.

Hoping in time software will catch up. Apple really seems to want everything in their store/sandbox. Which is how opensource things end up costing money because there is no free way to play.

Processing power doesn't do much when there is no tools to use or worse the only tools are expensive and aimed at businesses.

Virtualization = Subscription
3D Slicers = Ones that work are proprietary and the universal ones are likely months/years away.
Games = Limited Controller Support
Basic Essentials (SSH) = Paid Apps and Subscriptions
Things I've taken for granted = Putty, Cura, VirtualBox/Hyper-V, XInput, Drivers

You know that during Vista development Microsoft attempted the same thing. They were under threat from the Anti-Virus mafia if they proceeded with it so they backed down.

"Basic Essentials (SSH) = Paid Apps and Subscriptions" What the hell? You are paying for SSH on MacOS? Are you sure you got a Mac? Open the Terminal.app and type in "ssh", I have my Xbox Controller connected with no issues. Cura works. Don't use VMs but Docker works.

 

[Stromos]

You know that during Vista development Microsoft attempted the same thing. They were under threat from the Anti-Virus mafia if they proceeded with it so they backed down.

"Basic Essentials (SSH) = Paid Apps and Subscriptions" What the hell? You are paying for SSH on MacOS? Are you sure you got a Mac? Open the Terminal.app and type in "ssh", I have my Xbox Controller connected with no issues. Cura works. Don't use VMs but Docker works.

Yes terminal works but 80% of my home environment is Linux. Putty has all my sessions saved. There is no quick open source SSH app that has a session manager. I could say the same thing about Windows and use the built in SSH client but it doesn’t scale.

Cura works kind of. It’s using Rosetta and anything beyond basic models crash the program like crazy in preview. Even Cura has pointed out between dependencies and everything else required don’t hold your breath.

Xbox controller connects fine that wasn’t my point. My point was applications have to support it. In Windows a simple helper program does the work with little/no configuration. I saw a post over the weekend on a helper program for Mac but it was mapping buttons to the keyboard which meant changing security options then sitting there mapping keys making profiles per app.

I have been messing with the open source VM programs but that’s kind of my point.

Anything beyond surfing the web/apps is more work/money than Windows. Putty is installed the moment I build a new machine it just works. Cura just install it. Virtualbox same thing. Mac is download some stuff from GitHub someone may or may not ever support again get through the hoops of allowing it to run. Then maybe you have something.

I was really enjoying messing with virtualization until both GitHubs I was messing with just stopped updating in December. Kinda funny it was around the same time Parallels did their technology preview. Sorry not paying a subscription for a hypervisior. Even greedy Microsoft has HyperV for free.

 

[leman]

But as I said above, I'm not too worried since I'm pretty sure you'll always be able to turn off SIP to load kexts. I don't think Apple can completely pull support for kexts... you really don't want to integrate everything right into the kernel.

I m sure that pulling support for kexts is exactly what they intend to do. With unified hardware across the board, they only need a handful of drivers, all of which can be integrated into a monolithic kernel. Support for third-party devices is strictly via userland drivers only. Performance will be ok because hardware will be designed for it.

I have no idea how it will impact stuff like file systems (if one can write a fast SCSI driver in userland, why can’t the same be done for ZFS?), but then again it’s not really a huge area of interest. APFS is a decent enough FS and you won’t be running an NAS from your mac anyway...

 

[soroyv]

I have a Thunderbolt 3 interface from Universal Audio that requires kernel extensions and had to boot into recovery mode on my M1 MacBook Air to get them installed and working.

I hope this interface will work on future releases as well.

 

[nt5672]

Herding developers to run app code in userspace instead of the kernel is just a good idea in general.

I've already been avoiding kext-based apps where possible for years.

Yep, me too. But it should be user choice, not a limitation of the platform.