Search code examples
macosiokitpcientitlementsdriverkit

PCIDriverKit Entitlement check failed (migrate KEXT to DEXT)

kernel: DK: MyDriver-0x100000f45: provider entitlements check failed
kernel: DK: IOUserServer(com.MyDriver-0x100000f45)::exit(Entitlements check failed)
kernel: (com.MyDriver.dext) Kernel requested exit (Entitlements check failed)

I'm trying to create a driver using PCIDriverKit. Cannot find any reasonable sample code for this.

My problem is that I'm trying to access all devices, and even though I've put their masks correctly in the Info.plist (0x12345678&0x000000000) and the com.apple.developer.driverkit = TRUE and com.apple.developer.driverkit.transport.pci entitlements.

For most of the device I get the above errors in the macOS log. In A KEXT I was using before the same mask worked perfectly fine.

SIP is disabled of course, and system extension developer mode is on.

I'm using the "Sign to run locally" option in XCode at the moment as this is a development phase.

How can I get a DEXT to open all PCI devices on my Mac?

Edit: These are the entitlements of the DEXT according to codesign -d --entitlements -:

▒▒qq<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.developer.driverkit</key>
        <true/>
        <key>com.apple.developer.driverkit.transport.pci</key>
        <array>
                <dict>
                        <key>IOPCIPrimaryMatch</key>
                        <string>0x12345678&amp;0x00000000</string>
                </dict>
        </array>
        <key>com.apple.security.app-sandbox</key>
        <true/>
        <key>com.apple.security.get-task-allow</key>
        <true/>
</dict>
</plist>

amfid logs:

amfid: [com.apple.MobileFileIntegrity:amfid] Basic requirement validation failed, error: (null)
amfid: /Library/SystemExtensions/{SOME_GUID}/com.MyDriver.dext/com.MyDriver signature not valid: -67050
Solution

  • I don't have a 100% answer as to why it's going wrong in your case. To load a dext on an unmodified system, you definitely need the following when codesigning your dext:

    • Sign with a 'Developer ID Application' certificate identity and be notarised, or signed with an 'Apple Developer' certificate
    • Embedded code signing entitlements including the generic DriverKit entitlement, any family-specific entitlements, and entitlements regarding user client access if necessary.
    • A provisioning profile from Apple which matches:
      1. The code signing entitlements you are embedding in the dext.
      2. The type and specific instance of the code signing identity you are using to sign the dext.
      3. The Application & Bundle ID of the dext.
      4. If using an Apple Developer signing identity, the hardware IDs of the Macs on which you will be testing the dext.

    For local testing, you can try the following things to temporarily work around code signing issues:

    • Disabling System Integrity Protection (SIP). For purposes of DriverKit extensions, this disables some codesigning checks.
    • Disabling DriverKit-specific entitlements checks. This turns off checking for a lot of family-specific entitlements. To disable the checks, set flag 0x8000 in the dk kernel boot argument, which is a bitfield. Note that unless you set flag 0x1, DriverKit will be entirely disabled. So use dk=0x8001 to disable DriverKit entitlement checks.
    • Disabling AMFI checks. AMFI will normally kill your process if you try to claim entitlements which need to be enabled in a provisioning profile. You can disable AMFI with the amfi_get_out_of_my_way=1 kernel boot argument.

    Obviously, you only have limited control over the provisioning profile, as the entitlements in it must be approved by Apple. (For this reason, if you're planning to ship your dext publicly, I generally recommend you try to work out what entitlements you might need before starting full development on the dext, and request them from Apple. The process can take months.) So while it would be interesting to know the exact minimum combination of workarounds required when you don't have these profiles, I haven't exhaustively tested this out yet. I realise this doesn't help much with getting your dext as close to shipping as possible while still waiting for Apple to grant missing entitlements. Hopefully one of these days I can systematically explore and document all of this.