I was recently surprised by a pop-up dialogue in macOS asking me to approve a system extension (kext, or kernel extension) in the Security & Privacy preferences panel. I could not recall what, if any, software I had recently updated and was immediately suspicious.
It was difficult to pin down any information since the kext was not
specified in the pop-up or the preferences panel. I found one post on Apple Discussions
that introduced me to the
$ kmutil log show ... 2022-02-04 14:35:49.437506-0500 0x3d0908 Default 0x0 102 0 kernelmanagerd: [com.apple.kernelmanagerd.logging:LoadRequestResolution] gathering approvals for: /Library/Apple/System/Library/Extensions/RemoteVirtualInterface.kext 2022-02-04 14:35:49.501178-0500 0x3d0908 Error 0x0 102 0 kernelmanagerd: library rebuild request failed: Extension with identifiers com.apple.nke.rvi not approved to load. Please approve using System Preferences. ...
From the logs we can see a particular identifier with related kext file requires approval:
“Remote Virtual Interface” seems to be a tool used for Recording a Packet Trace - I believe typically used while developing iOS apps.
I tracked down a second tool,
codesign, that can
authenticate the kext. If
0 status (i.e. success) the kext is valid:
❯ codesign -d --verbose=4 /Library/Apple/System/Library/Extensions/RemoteVirtualInterface.kext Executable=/Library/Apple/System/Library/Extensions/RemoteVirtualInterface.kext/Contents/MacOS/RemoteVirtualInterface Identifier=com.apple.nke.rvi Format=bundle with Mach-O universal (x86_64 arm64e arm64) CodeDirectory v=20100 size=290 flags=0x0(none) hashes=4+3 location=embedded Hash type=sha256 size=32 CandidateCDHash sha1=2945602eada16a5ef1a1ec22968c9172cda7500c CandidateCDHashFull sha1=2945602eada16a5ef1a1ec22968c9172cda7500c CandidateCDHash sha256=ba857c40bcfaf664a5f8a0015d58e3eca8929168 CandidateCDHashFull sha256=ba857c40bcfaf664a5f8a0015d58e3eca892916899812a8da80bccb64ae5ba3f Hash choices=sha1,sha256 CMSDigest=cce1f226974ca1222e52271b14115be1dace14b375ab32405918c617b5f9b47e CMSDigestType=2 Page size=4096 CDHash=ba857c40bcfaf664a5f8a0015d58e3eca8929168 Signature size=4523 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Signed Time=Oct 30, 2021 at 9:59:49 PM Info.plist entries=23 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=1 Internal requirements count=1 size=68 ❯ echo $? 0
codesign exits 0 if all operations succeed. This indicates that all codes were signed, or all codes verified properly as requested. If a signing or verification operation fails, the exit code is 1. Exit code 2 indicates invalid arguments or parameters. Exit code 3 indicates that during verification, all path(s) were properly signed but at least one of them failed to satisfy the requirement specified with the -R option.
If you’re ever surprised by a dialogue asking for approval of a system extension, I hope these tools can help you track down and authenticate the software in question.
Of course, after all the work to track this down, while writing this post my MacBook Air crashed and after reboot my explicit approval no longer seemed to be required!