macosmacos-big-suriokitkernel-extensionxnu

Unloading a kext after macOS 11 Big Sur


The Apple Developer article Installing a Custom Kernel Extension states:

Unloading a kext on macOS 11 and later requires a call to kmutil or kextunload, followed by a system reboot. The kmutil tool builds a new kext collection without the specified kext, but it doesn’t install that collection immediately. The system installs the new kext collection only after the computer reboots. As a result, the unloaded kext actually remains active and running until the user reboots the system.

For more details, see the kmutil(8) man page.

Was this implementation changed in the kmutil/kextunload command or the kernel itself? I tried looking at the changes to the OSKext::unload method in /libkern/c++/OSKext.cpp in the XNU source code but couldn't determine if it was changed there. I wasn't able to find any source code for the kmutil command.

I was wondering if there was still a way to unload and stop running a kext without a reboot, possibly by using the old kextunload command that does not call kmutil?


Solution

  • Unloading kexts is actually no longer supported at runtime by the kernel, in the same way that runtime loading no longer is either. The kernel is now pre-linked into a single image including all the kexts that are expected to be required, and all of this is loaded in one go on boot, and then sealed in memory just before the kernel is run. However, although each kext is loaded into memory, its initialisation code is only run and it becomes fully active when it’s actually required.

    Neither loading additional kexts nor removing loaded kexts from memory at runtime is possible in this arrangement. The change the set of kexts, a new kernel image must be prelinked and booted.