codesigned kext But why not load in Yosemite(10.10)

后端 未结 3 746
梦如初夏
梦如初夏 2021-02-15 00:04

I had a code signing on kext in Yosemite. But kextload is failed.
It was version2 codesign. codesign --verify is true.
But kextload is failed. Why not load

相关标签:
3条回答
  • 2021-02-15 00:21

    I had the same problem too. And I got the solution sharing with you.

    Apple changed the Mac Developer Program, and removed certification for kext from it. So even you are member of Mac Developer Program, you will not get certification for kext development unless you request it at Developer ID and Gatekeeper.

    BTW, Apples says,

    "KEXT signing is intended for signing commercially shipping kexts or projects broadly distributed in a large organization."

    So what we can do is run our Kext on the KEXT Development Mode by adding the "kext-dev- mode=1" boot-arg. Like,

    sudo nvram boot-args="debug=0x146 kext-dev-mode=1"
    

    And reboot.

    I wish this will be helpful for you.

    0 讨论(0)
  • 2021-02-15 00:26

    As of December 2016:

    This is due to the System Integrity Protection feature that was introduced in El Capitan (10.11). As of El Capitan, the kext-dev-mode boot option has no effect, so ParaDevil's answer does not work. Instead, you must disable SIP by following the instructions from this page:

    1. Boot to Recovery OS by restarting your machine and holding down the Command and R keys at startup.

    2. Launch Terminal from the Utilities menu.

    3. Run the following command:

      csrutil disable
      

    When you restart, System Integrity Protection should be disabled.

    0 讨论(0)
  • 2021-02-15 00:31

    I agree with ParaDevil answer.
    For OS X Yosemite you can do the following:

    1. Download "Kernel Debug Kit";
    2. Run installer package;
    3. Continue to "Read Me" step;
    4. The "Read Me" says:

    In order to load unsigned kexts, the system must have "KEXT Developer Mode" enabled by adding the "kext-dev-mode=1" boot-arg. The following command (followed by a reboot) would be suitable to prepare a system for testing non-production kexts:     

    sudo nvram boot-args="debug=0x146 kext-dev-mode=1"
    

    Once this is done, the machine will be able to load any valid kext; signatures will still be checked, but a failed verification will just result in a log message. Note: This applies to kexts that contain a binary, as well as codeless (plist-only) kexts. The system will remain in developer mode until you manually remove the boot-arg or clear nvram and reboot. You can exit developer mode by redefining the boot-arg to your previous settings, or clear your boot-args as follows:

        

    sudo nvram -d boot-args
    

    Apple recommends that you make use of KEXT Developer Mode rather than use your Developer ID certificate to sign drivers while they are under development. Ideally you should sign a driver using a Developer ID certificate only when it reaches its final stages of testing and is being evaluated for release to customers.


    For OS X El Captain 10.11 the command:

    sudo nvram boot-args="debug=0x146 kext-dev-mode=1"
    

    has no effect.

    Read System Integrity Protection Guide/Kernel Extensions for more information.

    0 讨论(0)
提交回复
热议问题