TN2459: https://developer.apple.com/library/content/technotes/tn2459/_index.html introduces that under macOS High Sierra user approval is required for loading new third-party kernel extensions.
The kext that I would like to test has been loaded before upgraded to High Sierra, so loading the same kext after upgrade does not trigger the user approval flow which I would like to test against.
The kernel extension user consent is enabled:
$ spctl kext-consent status
Kernel Extension User Consent: ENABLED
I deleted the entry that corresponds to the kext in the kext_policy table in /private/var/db/SystemPolicyConfiguration/KextPolicy under recovery mode and restart several times. But the user approval flow is still not triggered when I load the kext.
I wonder if the policy info is cached somewhere else and if I need to clear NVRAM for my machine or tell syspolicyd to clear its cache? Or there is other things that I need to do?
In short, you have to boot in recovery mode (Mac+R) and edit the sqlite table /private/var/db/SystemPolicyConfiguration/KextPolicy.
This table is accessible in read-only mode in normal boot:
sqlite3 /private/var/db/SystemPolicyConfiguration/KextPolicy
sqlite> SELECT * FROM kext_policy;
sqlite> SELECT * FROM kext_load_history_v3;
You have to remove your entries (recovery mode) and reboot, like this (Replace 'G43BCU2T37' with your team_id):
sqlite> DELETE FROM kext_policy WHERE team_id = 'G43BCU2T37';
sqlite> DELETE FROM kext_load_history_v3 WHERE team_id = 'G43BCU2T37';
sqlite> .exit
To avoid the reboot every time, you could alter the "System Integrity Protection" configuration (in recovery mode): csrutil enable --without fs --no-internal. Now kext_policy is changeable from normal boot.
The whole procedure is described here: https://forums.developer.apple.com/thread/79172#248518.