Apple has confirmed that future Mac computers powered by its own chips will not support kernel extensions at all. This will further tighten macOS security and increase its stability.
Kernel Extensions Are Bad for Security
This was clarified in an updated version of Apple’s Platform Security Guide detailing the latest security features in iOS 14, iPadOS 14, macOS Big Sur, tvOS 14, and watchOS 7. It acknowledges that third-party kernel extensions are bad from a security standpoint.
In addition to enabling users to run older versions of macOS, Reduced Security is required for other actions that can put a user’s system security at risk, such as introducing third-party kernel extensions.
The 196-page document, available on Apple Support and as a PDF document, explains that a third-party kernel extension has the same privileges as the macOS kernel. As a result, any vulnerabilities found in a kernel extension can lead to full operating system compromise.
This is why developers are being strongly encouraged to adopt system extensions before kernel extensions support is removed from macOS for future Mac computers with Apple silicon.
Aside from the refreshed Apple Platform Security guide, the company also debuted a new Security Certifications and Compliance Center on its website, providing crucial security and privacy-related information about Apple hardware, software, and services.
macOS also includes a feature called System Integrity Protection that actively shields parts of your system from modification, and blocks the installation of insecure extensions.
About macOS Kernel Extensions
In many operating systems, the kernel is the central component that has complete control over all the system resources. Always resident in memory, the kernel handles crucial low-level operations such as memory allocation, peripherals access, I/O requests, and more. It’s one of the first software components that load when you turn on your Mac.
Kernel extensions permit developers to inject custom code into the macOS kernel, usually to enable compatibility with certain peripherals or to create very advanced apps. However, Apple no longer recommends using macOS kernel extensions.
macOS Catalina, released more than two years ago, was the last version of the Mac operating system to support kernel extensions. Apple now provides system extensions as a way of extending macOS functionality without potentially compromising security.
Unlike kernel extensions, system extensions are protected in user space rather than at the kernel level. System extensions have limited privileges because they run in userspace.
About macOS System Extensions
Here’s how Apple’s support document describes macOS system extensions:
System extensions work in the background to extend the functionality of your Mac. Some apps install kernel extensions, or kexts—a kind of system extension that works using older methods that aren’t as secure or reliable as modern alternatives. Your Mac identifies these as legacy system extensions.
A system extension may seek user permission before it’s loaded. In that case, the user will be asked to the Security & Privacy preferences to allow the extension.
On a Mac with Apple silicon, you may first need to use Startup Security Utility to set the security policy to Reduced Security and select the ‘Allow user management of kernel extensions from identified developers’ checkbox.
If your Mac is using an outdated third-party extension, you may see a system alert. In that case, you should reach out to its developer and inquiry about compatibility. Such outdated extensions need to be updated or will be incompatible with a future version of macOS.