kernel: DK: MyDriver-0x100000f45: provider entitlements check failed
kernel: DK: IOUserServer(com.MyDriver-0x100000f45)::exit(Entitlements check failed)
kernel: (com.MyDriver.dext) Kernel requested exit (Entitlements check failed)
I'm trying to create a driver using PCIDriverKit. Cannot find any reasonable sample code for this.
My problem is that I'm trying to access all devices, and even though I've put their masks correctly in the Info.plist (0x12345678&0x000000000)
and the com.apple.developer.driverkit = TRUE
and com.apple.developer.driverkit.transport.pci
entitlements.
For most of the device I get the above errors in the macOS log. In A KEXT I was using before the same mask worked perfectly fine.
SIP is disabled of course, and system extension developer mode is on.
I'm using the "Sign to run locally" option in XCode at the moment as this is a development phase.
How can I get a DEXT to open all PCI devices on my Mac?
Edit:
These are the entitlements of the DEXT according to codesign -d --entitlements -
:
▒▒qq<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.driverkit</key>
<true/>
<key>com.apple.developer.driverkit.transport.pci</key>
<array>
<dict>
<key>IOPCIPrimaryMatch</key>
<string>0x12345678&0x00000000</string>
</dict>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
</dict>
</plist>
amfid logs:
amfid: [com.apple.MobileFileIntegrity:amfid] Basic requirement validation failed, error: (null)
amfid: /Library/SystemExtensions/{SOME_GUID}/com.MyDriver.dext/com.MyDriver signature not valid: -67050
I don't have a 100% answer as to why it's going wrong in your case. To load a dext on an unmodified system, you definitely need the following when codesigning your dext:
For local testing, you can try the following things to temporarily work around code signing issues:
0x8000
in the dk
kernel boot argument, which is a bitfield. Note that unless you set flag 0x1
, DriverKit will be entirely disabled. So use dk=0x8001
to disable DriverKit entitlement checks.amfi_get_out_of_my_way=1
kernel boot argument.Obviously, you only have limited control over the provisioning profile, as the entitlements in it must be approved by Apple. (For this reason, if you're planning to ship your dext publicly, I generally recommend you try to work out what entitlements you might need before starting full development on the dext, and request them from Apple. The process can take months.) So while it would be interesting to know the exact minimum combination of workarounds required when you don't have these profiles, I haven't exhaustively tested this out yet. I realise this doesn't help much with getting your dext as close to shipping as possible while still waiting for Apple to grant missing entitlements. Hopefully one of these days I can systematically explore and document all of this.