Kernel Extensions and System Extensions
1. How are System Extensions different from Kernel?
Kernel and system extensions are pieces of software that work in the background to help extend the functionalities of your native Mac operating system. It gives the apps freedom to run powerful and complex functions on the devices. For example, the antivirus apps, USB drivers, DNS proxies etc., makes use of such extensions to enable the support for these features on the Mac.
The system extension is the modern alternative to kernel extensions. Kernel extensions or KEXTs have the ability to dynamically load the code into the macOS kernel, thereby allowing complex apps to function properly on the device. The features coded in the kernel can access specific parts of the OS that regular programs are incapable of accessing. Therefore, an error or a bug in the code can cause severe damages such as kernel panics leading to OS crashes. The system extensions are installed and managed in a tightly controlled user space rather than the kernel; this ensures increased stability and security. Any instability or bugs in the system extension will only affect that part of the software encompassing the system extension. It also provides more end-user control and enables to limit kernel-level attacks.
Another difference between system and kernel extension is that the developers were only allowed to code using C or C++ and use a single framework while creating an app in the kernel. However, if the app uses system extension, the developer can use any macOS SDK framework and any programming language to develop the app. Note that driver extensions require C or C++ and DriverKit frameworks (Driver extensions are system extensions).
2. Why do the macOS devices generate the System Extension blocked error message on loading them?
Due to upgraded security on Mac, kernel extensions installed with or after installing macOS High Sierra are not allowed unless they are user-approved. It is called User Approved Kernel Extension Loading.
3. Do all kernel extensions require user consent to load on macOS High Sierra?
User approval is not necessary for:
- Kernel Extensions already installed on the devices before upgrading to macOS High Sierra.
- Kernel Extensions that are replacing previously approved extensions.
- Kernel Extensions that are permitted to load without user consent by using the spctl command while starting up the Mac from recovery.
- Kernel Extensions that are permitted to load using the Kernel Extensions Policy.
4. Are all system extensions or kernel extensions supported on every macOS version?
Not all system extensions are compatible with the current macOS versions or with a future version. Sometimes, a kernel extension supported on a lower macOS version may not be compatible with its later versions. Also, Apple identifies macOS Catalina as the last macOS to support kernel extensions.
5. How to manage kernel extensions on macOS devices with Apple Silicon?
Macs with Apple Silicon use the highest level of security called Full Security to safeguard them from tampering. Thus, before you can install a kernel extension or KEXTs on a macOS device with Apple Silicon, the security policy must be set to Reduced Security.
Remote management of kernel extensions is possible with an UEM, but it should be authorized. This authorization comes automatically with devices enrolled in an UEM via DEP. You have to change the security settings manually for devices enrolled via other methods to authorize remote management of kernel extensions.
6. Why are system extensions preferred over kernel extensions?
Kernel extensions or KEXTs are no longer recommended on Macs. KEXTs increase the vulnerability as they have direct access to the system kernel. System extensions improve a macOS device’s stability and security by operating at the user level rather than at the kernel level.
However, software/application that supports a wide range of macOS versions can continue using kernel extensions for older versions and use system extensions on supported macOS versions.
7. What are the reasons for a kernel panic that occurs with the installation of third-party KEXTs?
The reasons for a kernel panic that arise with the installation of KEXTs can vary.
- Moving the KEXT file from the installed location without moving its associated peripherals can result in a kernel panic.
- Certain kernel extensions require uninstallation before updating the operating system to prevent a kernel panic.
- Since Apple changes its features with every new update, a kernel extension that is not compatible with the new operating system may also cause a kernel panic.
8. Why do certain applications that rely on KEXTs not work as intended on all macOS versions?
Not all macOS versions support every kernel extension. For instance, certain KEXTs are not supported on macOS Big Sur. It could be the reason why such applications do not work as expected.
9. Why should the devices be restarted to load third-party kernel extensions onto the kernel?
Beginning with macOS 11, if third-party KEXTs are enabled, they cannot be loaded into the kernel by default. But they are combined into an Auxiliary Kernel Collection (AuxKC) that gets loaded during device booting. A device restart rebuilds (AuxKC) and loads the changes into the kernel.