• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: How to tell when all kexts are loaded
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to tell when all kexts are loaded

  • Subject: Re: How to tell when all kexts are loaded
  • From: Stephane Sudre <email@hidden>
  • Date: Wed, 30 Nov 2005 11:21:34 +0100

Le 30 Nov 2005, à 01:41, Terry Lambert a écrit :

On Nov 29, 2005, at 4:14 PM, Stephane Sudre wrote:
On mercredi, novembre 30, 2005, at 12:31 AM, Terry Lambert wrote:
(1) Your kext would need to be loaded and interfaced with the networking stack before the network was in fact enabled, so that no packets were permitted to pass through the networking interace to a potentially vulenrable program on the host system, until the defensive software was in place.

For this requirement, the kext must load at system startup.

To achieve this, you would have to use IOKit matching - the KEXT would need to implement an IOKit device driver, and that driver would have to always claim that it had discovered matching hardware.

For this requirement, you would also need to ensure that the kext was loaded before network startup.

To achieve this, you would need to claim that the device driver was a "Root" device - that is, it was required in order to mount the Root volume so that the OS was capable of booting; note that making this requirement endangers the system: a bug in this device driver could result in an unrecoverable boot failure requiring either a reinstall, or a boot from install media and an escape to a shell or a boot from an alternate partition.

Your point on "Root" device is not exactly right AFAIK. "Root" device startup can be prevented. With some code, the I/O Kernel extension can know that the boot was made in Safe mode and so perform differently or return failure on loading.

This is incorrect. In an earlier response, I made the statement that setting "OSBundleRequired" to "Root" was sufficient; I was mistaken, and corrected by Dean; it's *necessary*, but not *sufficient*. To be sufficient, it needs to also be an IOKit driver that claims it has found matching hardware, i.e.:

(a) Be an IOKit driver
(b) Follow the IOKit matching rules
(c) Claim to have matched hardware
(d) Have an "OSBundleRequired" of "Root" in its "Info.plist" file
(e) *NOT* have a non-zero value for "IOKitDebug" in its "Info.plist" file

See:

<http://developer.apple.com/documentation/Darwin/Conceptual/ KEXTConcept/KEXTConceptLoading/loading_kexts.html#//apple_ref/doc/uid/ 20002369-97330-BABDIDAF> 


You mean that PE_parse_boot_arg("-x", &dummy) is not working?


Concerning the point of being loaded before the network stack is enabled, there's a problem in Tiger where the callback which could be used to be loaded before the stack is enabled (so that for instance you can attach socket filters the sooner possible) is never called before the stack is enabled. At least, that's been my experience. This is a known problem AFAIK. 

I really can't parse:

"the callback which could be used to be loaded before the stack is enabled"

If "used to be" means "formerly was", it doesn't match the verb tense of "is" (should be "was"?), and if "be used" means "carry out a purpose or action", then "to be" probably should have been "is"). 

Simpler syntax:

the callback you need to support to be informed that the network stack has just been loaded & initialized.

C syntax:

net_init_add always returns EALREADY

If it's the former, I'm not sure I understand why it's a problem to not call a callback on a disabled stack, since disabled stacks don't have any activity on them; if it's the latter, I'm not sure why loading the network extension before enabling the stack is a problem, either, since it seems to be the desired behavior.

Do you have a radar # for a problem report that better explains why the Tiger behavior is a problem for you?

The problem is that this method is supposed to allow someone to add a callback but this callback is currently useless IMHO since the network stack is always initialized when you call net_init_add.

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: How to tell when all kexts are loaded

      • From: Terry Lambert <email@hidden>
      • 





References: 


 >Re: How to tell when all kexts are loaded (From: Stephane Sudre <email@hidden>)


 >Re: How to tell when all kexts are loaded (From: Terry Lambert <email@hidden>)






    

  • Prev by Date:
Threading and Synchronization in Mass storage driver

    • 

  • Next by Date:
Re: Threading and Synchronization in Mass storage driver

    • 

  • Previous by thread:
Re: How to tell when all kexts are loaded

    • 

  • Next by thread:
Re: How to tell when all kexts are loaded

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •