10.13 Secure Kernel Extension Loading Implementation is Detrimental to Security and Deployment
| Originator: | arubdesu |
|
| Number: | rdar://33628591 |
Date Originated: | 31 July 2017 |
| Status: | Closed |
Resolved: | |
| Product: | macOS + SDK |
Product Version: | 10.13b4 |
| Classification: | |
Reproducible: | Always |
Summary:
Secure Kernel Extension Loading negatively affects usability for end users and as a result makes the experience less secure overall. It is also not manageable for organizations with any business need to ensure the functionality of kernel extensions in its current implementation.
Steps to Reproduce:
Install file sync, audio driver, printer, virtualization, hardware accessory, or security product. All of which are properly signed with certs approved by Apple.
Expected Results:
Signed kernel extensions are loaded and functional.
Observed Results:
The kext is not loaded. At time of install, a confusingly-worded prompt mentions a name (the Subject Common Name field) which would almost always not be the same as the product users would have seen as the window title during the install. Users are not allowed one-click opening of the appropriate System Preferences -> Security pane. Only during a 30-minute window and when the kext is attempted to be loaded again the end user may enable the kext. If multiple directories contain kexts by the developer, or the developer used different TeamIDs for the products in their suite, multiple checkboxes are observed.
Version:
10.13 Beta 4
Notes:
The strategy to address this change proposed in Technical Note TN2459 falls short of reasonably addressing any business concerns. Getting every new computer into an environment where spctl can run to perform whitelisting is contrary to Apple guidance to not maintain imaging infrastructure. Unlike GUI whitelisting, exceptions or disabling of this new behavior via spctl can be reset with NVRAM. This makes enterprise IT less confident that loading signed kexts can't (inadvertently or otherwise) be directly circumvented - in departments where use of these kexts are compliance-mandated this will remove the option of purchasing or using Macs
Duplicates
Comments
ag9zfm9wZW5yYWRhci1ocmRyEgsSBVJhZGFyGICAgJjKt_kIDA
Please note:
Reports posted here will not necessarily be seen by Apple.
All problems should be submitted at bugreport.apple.com before they are posted here.
Please only post information for Radars that you have filed yourself, and please do
not include Apple confidential information in your posts. Thank you!
Not closed, but message left indicating Duplicate of 33163283
August 10 2017, 7:18 PM Engineering has determined that your bug report is a duplicate of another issue and will be closed. The open or closed status of the original report your bug was duplicated to appears in a text box within the bug detail section of the bug reporter user interface. For security and privacy reasons, we don't provide access to the original bug yours was duped to. If you have any questions or concerns, please update your report directly at this link:https://bugreport.apple.com/