1. 21

  2. 9

    The crucial detail is this

    To deploy drivers built with DriverKit, allow other developers to use your system extensions, or use the EndpointSecurity API, you’ll need an entitlement from Apple.

    If I understand this correctly, we can say goodbye to hackintoshes.

    1. 1

      That was my first thought too. I also wonder about tools like LittleSnitch.

      1. 3

        In theory, Apple have been expanding Network Extensions API to be a sufficient substitute for NKEs. I’m not an expert on either, but if it’s anything like the EndpointSecurity framework as the supposed substitute for KAUTH listeners, there will be features that are killed off.

        I’m still in the process of porting some USB kexts to DriverKit, so I’ll see how good a substitute that is. I’m a little worried about the “magic” compiler-generated IPC glue being a debugging nightmare. I only recently started working on DriverKit though, largely thanks to lots of time spent on miscellaneous immediate Catalina regressions and working around the shortcomings of some of the braindead user consent implementations, which were more urgent because they immediately affected users.

        The 10.15.4 beta SDK has also added support for PCI/Thunderbolt drivers to DriverKit, it’ll definitely be interesting to see just how well that works out.

        I do think we’ll lose a bunch of software and hardware diversity on the Mac as a result of this. I’m finding the amount of effort required treading water to keep things running on the latest OS version or jumping through hoops due to badly designed features/APIs, compared to time left actually building something that has intrinsic value is becoming increasingly skewed. I fear lots of developers are going to decide it’s no longer worth it.

    2. 10

      Relevant discussion on the Apple developers forum, where the developers of Little Snitch, TripMode and Radio Silence, among others, express their concerns:


      Apple official position is for them to file an “enhancement request”. Good luck with that…

      1. 2

        And all of that was in 2017. Really unlikely that Apple is going to do anything given it’s been almost 3 years.

        1. 6

          Right. I was never fan of the theory that Apple was iPad’ifying macOS. But it looks like we are heading that direction, even if accidentally. I can understand Apple’s motivations for the individual changes. In principle SIP is great, it protects against many malware attacks. In principle user-space drivers are also great, a vendor’s crap drivers should not run in our ring-0 [1]. Signed applications were great, but the mechanism was somewhat sensitive to stolen developers keys. No we have notarization, which puts makes Apple de gate keeper, even outside the App Store.

          With many of these steps, there are accommodations for more advanced users, but they are all half baked. The do user-space drivers, but never complete the APIs necessary for developers to actually restore the old functionality in user-space. They make the system volume read-only, but come up with a half-baked mechanism for users who actually need a top-level directory. E.g. installing Nix in Catalina requires creating a new volume, creating an entry in synthetic.conf, and creating an entry in fstab. And then it doesn’t really work well if you encrypt the volume, because encrypted volumes are only mounted upon login, which means that applications that rely on the store could be started before the Nix store is mounted. How about just providing a menu item in Disk Utility that says “Create a top-level mounted volume”.

          The thing is that advanced users were just a gateway in the early 2000s for Apple to gain a foothold in the market and bootstrap a developer ecosystem. Now that the vast majority of Mac users are not advanced users, it’s just not their focus anymore. Their focus is providing a system that is as easy and secure as possible for the large majority of users and avoiding diverging from the iOS ecosystem to avoid maintenance costs. That’s a perfectly fine direction to take, but we as developers/advanced users should not expect much more than the occasional nice ‘back door’ that Apple developers manage to smuggle in, such as synthetic.conf.

          [1] The situation is really different compared to Linux, because in Linux virtually all drivers are open source and upstreamed, so one can verify that they don’t do stupid stuff.

          1. 0

            As of lately I’ve been a bit dissatisfied with MacOS. It used to be great IMO. I really hope they won’t completely dumb down MacOS.

      2. 5

        Related blog post from Objective Development (the developers of Little Snitch):
        Little Snitch and Possible Deprecation of NKEs (2017)

        1. 2

          Hope no hardware developers want to use Mac’s.