Author Topic: Need to give permission for new kernel extensions in High Sierra  (Read 1478 times)

elagache

  • Global Moderator
  • Storm
  • *****
  • Posts: 6494
    • DW3835
    • KCAORIND10
    • Canebas Weather
  • Station Details: Davis Vantage Pro-2, Mac mini (2018), macOS 10.14.3, WeatherCat 3
Dear WeatherCat sys-admins,

The November 2017 issue of Mac|Life magazine has an article on a few feature of High Sierra that most of us probably weren't aware of.  macOS will now disable any kernel extension unless you explicitly give it permission to be run in the in the Security and Privacy pane of the system preferences.  Apple had provided a bulletin on the change that you can read here:

https://support.apple.com/en-us/HT208019

Apple doesn't make the situation particular intuitive either.  When you install a kernel extension, it will simple put up a dialog box saying the extension is blocked.  There is an <Okay> button but that simply dismisses the dialog.   The only way to enable your kernel extension is to explicitly turn it on in the Security and Privacy pane.

It is also possible to disable this feature completely using a command line tool in recovery mode.

Any kernel extensions already on your computer are "grandfathered" in so those of you with Davis stations who upgraded to High Sierra weren't effected.  However, there is two situations when you might have to explicitly enable a kernel driver.  The permission status of the extensions is stored in NVRAM.  If you need to reset that, you'll need to explicitly give permission to your kernel extensions once more.  The other situation is when changing computer.  If you restore the contents of an older computer from a backup, the NVRAM of the new Mac won't have any kernel extension permissions.  So once more you'll have to manually give permissions for your kernel extensions to run.

Sadly, the reviews of this new security measure aren't exactly stellar.  What is a small matter for individual users is a nightmare for organizations with many Macs that have kernel extensions.  At the same time, a security expert has already known that it is "trivial" (his words) to get around this feature:

https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/

Once more as Jimmy Durante would state: "Such are da' conditions that prevail . . . . . . "

Cheers, Edouard

xairbusdriver

  • Storm
  • *****
  • Posts: 3126
    • EW7115 (E7115)
    • KTNGERMA20
    • Mid-South Weather
  • Station Details: Davis VP2 wireless + remote Anemometer/2014 Mac min - 10.15.7/WC 3.0.5
Re: Need to give permission for new kernel extensions in High Sierra
« Reply #1 on: October 18, 2017, 11:56:15 PM »
Just another reason to delay installing the latest and greatest OS on my mini running WC. See no reason to update the OS on that machine until/unless there comes a time when it gets replaced or WC does something that requires a different OS.

I don't understand most of what I read in the links you provided, but I've never much appreciated using a database of white- or black-listed items to provide security. The items in such a list can change at any time and until the list is actually updated on the users machine, the vulnerability is still available. I'm not sure Apple should trust users to make timely updates to such files.
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system


elagache

  • Global Moderator
  • Storm
  • *****
  • Posts: 6494
    • DW3835
    • KCAORIND10
    • Canebas Weather
  • Station Details: Davis Vantage Pro-2, Mac mini (2018), macOS 10.14.3, WeatherCat 3
Dear X-Air and WeatherCat "let other people make the mistakes first" type,

Just another reason to delay installing the latest and greatest OS on my mini running WC. See no reason to update the OS on that machine until/unless there comes a time when it gets replaced or WC does something that requires a different OS.

As is well known, I have a "old school" sys-admin view of OS updates.  Computer users don't seem to realize that the OS is very much the underlying "ecosystem" of your computer.  Upgrade to one piece of flawed software, and only the tasks performed with that software are effected.  Usually, it is easy to roll-back to a previous version of an application.  While not impossible, rolling back to a previous version of the operating system is much more involved and tricky.  A flaky OS can break not one but many of apps that you depend on.  I'm still getting notifications from developers that either they just made their apps High Sierra compatible or it turns out they introduced bugs in their attempts to achieve compatibility.  Even if Apple's code was 100% perfect, there is good reasons to delay an OS upgrade until "the dust settles."

I don't understand most of what I read in the links you provided, but I've never much appreciated using a database of white- or black-listed items to provide security. The items in such a list can change at any time and until the list is actually updated on the users machine, the vulnerability is still available. I'm not sure Apple should trust users to make timely updates to such files

I'm afraid computer security is one of those domains where the over-confidence of the geek culture is really evident.  The need for security is as old as civilization itself.  Given those many thousands of years to develop security solutions, some really clever solutions have been developed.  Even if they don't seem to have a software analogue that doesn't mean there isn't one.  Apple and the other software developers aren't trying anything particularly novel and they clearly haven't come to grasp with what it means to make code bullet-proof.  I assume the military knows a lot about this.  The fly-by-wire systems in current weapons must be very sophisticated and extremely reliable.  Yet I don't think you'll find engineers from Apple, Google or Microsoft trying learn about software reliability from the developers of military (or even civilian) avionics.  When I grew up modesty was a virtue and most people understood they weren't experts in everything - even within their nominal discipline.  Alas as we all know, the Silicon Valley has become one of the most powerful forces in our society.    As one of my advisors for my PhD once said:  "Power can be the means to avoid having to learn something."

Cheers, Edouard