Contribute
Register

Gatebreak: Signed Kexts for Everyone

Status
Not open for further replies.

SJ_UnderWater

Moderator
Joined
Dec 3, 2010
Messages
633
Motherboard
Gigabyte GA-H55M-S2V
CPU
Intel i3-530
Graphics
HIS HD 6570
Mac
  1. iMac
Classic Mac
Mobile Phone
  1. Android
are you saying you don't see a problem with requiring the apple kext certificates to be trusted as rigorously as "anchor trusted" checks?
 

RehabMan

Moderator
Joined
May 3, 2012
Messages
186,728
Motherboard
Intel DH67BL
CPU
i7-2600K
Graphics
HD 3000
Mac
  1. MacBook Air
Mobile Phone
  1. iOS
are you saying you don't see a problem with requiring the apple kext certificates to be trusted as rigorously as "anchor trusted" checks?

I don't understand the question.

I'm just trying to parse the logic here. I'm assuming that all certs which pass 'apple anchor generic' will also pass 'anchor trusted'. And you seem to confirm this. Therefore, the first requirement is redundant and only the second necessary. Similar to how 'if (x > 1 || x > 0)' can be optimized/simplified to 'if (x > 0)'.
 

SJ_UnderWater

Moderator
Joined
Dec 3, 2010
Messages
633
Motherboard
Gigabyte GA-H55M-S2V
CPU
Intel i3-530
Graphics
HIS HD 6570
Mac
  1. iMac
Classic Mac
Mobile Phone
  1. Android
I don't understand the question.

I'm just trying to parse the logic here. I'm assuming that all certs which pass 'apple anchor generic' will also pass 'anchor trusted'. And you seem to confirm this. Therefore, the first requirement is redundant and only the second necessary. Similar to how 'if (x > 1 || x > 0)' can be optimized/simplified to 'if (x > 0)'.
No, I never said that, nor did i "confirm" it. My question above points out the problem. I'm getting the distinct feeling you never read the Code Requirements article, because there are at least two points they make: first, that "anchor trusted" doesn't mean what you think it does, and second, that without an explicit "trusted" argument, the code requirement doesn't check the trust of a certificate. I don't know or control the trusted status of "apple generic" certificate chains ("anchor trusted" doesn't mean "anchor root trusted"), and have no intention of increasing the scrutiny on them. The only goal of this exercise is to allow kext-type certificates which pass "anchor trusted" to be allowed. Why touch the rest?
 

RehabMan

Moderator
Joined
May 3, 2012
Messages
186,728
Motherboard
Intel DH67BL
CPU
i7-2600K
Graphics
HD 3000
Mac
  1. MacBook Air
Mobile Phone
  1. iOS
No, I never said that, nor did i "confirm" it. My question above points out the problem. I'm getting the distinct feeling you never read the Code Requirements article, because there are at least two points they make: first, that "anchor trusted" doesn't mean what you think it does, and second, that without an explicit "trusted" argument, the code requirement doesn't check the trust of a certificate. I don't know or control the trusted status of "apple generic" certificate chains ("anchor trusted" doesn't mean "anchor root trusted"), and have no intention of increasing the scrutiny on them. The only goal of this exercise is to allow kext-type certificates which pass "anchor trusted" to be allowed. Why touch the rest?

Well, given that I have personally tested the requirements reduced to "anchor trusted" and all vanilla kexts present in /System/Extensions passed the test, it would seem to imply that all apple kext certs will satisfy "anchor trusted."

I'll eventually have time to figure out this all on my own and determine what I'm going to do with my own personal system should signing become a requirement. But thanks for the response and information.
 
Joined
Mar 1, 2013
Messages
10
Motherboard
GA-Z97X-UD5H-BK
CPU
Intel i4770k
Graphics
Nvidia 740 SC
Mac
  1. Mac Pro
Classic Mac
Mobile Phone
  1. iOS
Im new the gatebreak...So do we still have to re-sign FakeSMC.plugin files?
 
G

goliczaa

Guest
Hello.
I very much appreciate your work. It is amazing. But how could I patch the kext related files on El Capitan to get it up working on El Cap too? Thank you. :)
 
Joined
Apr 28, 2015
Messages
147
Motherboard
Asus Rog Strix Z370-i
CPU
i7-8700
Graphics
GeForce GTX 1050 Ti OC Low Profile 4G
Mac
  1. iMac
  2. MacBook Pro
Classic Mac
  1. LC
  2. Power Mac
Mobile Phone
  1. Android
  2. iOS
@RehabMan, is it good to have your kexts signed by for example my apple developer ID?

Could we enable SIP this way? (csr-active-config 0x0)


Well, given that I have personally tested the requirements reduced to "anchor trusted" and all vanilla kexts present in /System/Extensions passed the test, it would seem to imply that all apple kext certs will satisfy "anchor trusted."

I'll eventually have time to figure out this all on my own and determine what I'm going to do with my own personal system should signing become a requirement. But thanks for the response and information.
 

RehabMan

Moderator
Joined
May 3, 2012
Messages
186,728
Motherboard
Intel DH67BL
CPU
i7-2600K
Graphics
HD 3000
Mac
  1. MacBook Air
Mobile Phone
  1. iOS
@RehabMan, is it good to have your kexts signed by for example my apple developer ID?

Could we enable SIP this way? (csr-active-config 0x0)

It is not something I wish to do...
 
Status
Not open for further replies.
Top