10.14 says 1.9.3 kexts are "incompatible"

All your general support questions for OpenZFS on OS X.

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby poolparty » Fri Nov 01, 2019 2:57 am

I’ve found one more report that indicates 10.14.6 might sometimes reject kexts even though they’re notarized.

The post also notes the following:

Kext loads fine when i disable hardened runtime but whenever i enable hardened runtime and then try to load kext with kextutil i get this error.


Contrary to that statement, when I run codesign on the 1.9.2 kexts (which all load just fine), I get:

Code: Select all
$ codesign -dv --entitlements :- 2>&1 \
    /Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/KernelExports \
    /Library/Extensions/spl.kext/Contents/MacOS/spl \
    /Library/Extensions/zfs.kext/Contents/MacOS/zfs \
    | grep -E --color=always 'flags=\w+'


CodeDirectory v=20200 size=226 flags=0x10000(runtime) hashes=1+3 location=embedded
CodeDirectory v=20200 size=1679 flags=0x10000(runtime) hashes=47+3 location=embedded
CodeDirectory v=20200 size=24623 flags=0x10000(runtime) hashes=764+3 location=embedded


So the hardened runtime feature may not be the culprit after all?
User avatar
poolparty
 
Posts: 26
Joined: Mon Apr 30, 2018 11:34 am

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby Musuld » Tue Nov 05, 2019 2:07 am

lundman wrote:This might be an issue with going from 1.9.2 -> 1.9.3. Looks like the kext have the same version, so a clean uninstall, reboot, install; is needed.


I’ve got the same problem and did not come from 1.9.2. In fact my Mac hasn’t seen have any OpenZFS before I tried to install 1.9.3. I can safely say that it is not the updating that is causing the problem.
Musuld
 
Posts: 3
Joined: Fri Nov 01, 2019 4:46 am

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby lundman » Thu Nov 07, 2019 4:51 pm

So there still are occasional systems that does not want to load 1.9.3 on mojave? The kext unfortunately have the same versions between 1.9.2 and 1.9.3, which is why it
needs to be uninstalled, rebooted, before installing 1.9.3 - but sounds like there are still issues?
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby poolparty » Fri Nov 08, 2019 2:15 am

Hi lundman,

Yep, 1.9.3 definitely doesn’t load, no matter how often I uninstall ZFS and then reboot my system. The error messages I posted earlier (from my terminal and from my system log) are reproducible and consistent for me.

Regarding 1.9.2 and its kext version: before my first attempt at installing 1.9.3, I never even had 1.9.2 on my Mac.
I rather uninstalled 1.9.0 and installed 1.9.3, skipping 1.9.2 altogether.

When I noticed the 1.9.3 kext wouldn’t load, I’ve been switching between 1.9.2 and 1.9.3 several times (by uninstalling, rebooting, and installing). The result is consistently reproducible for me: 1.9.2 works but the 1.9.3 kext is never accepted, with kextutil (or whatnot) claiming notarization issues.

Any advice/idea for troubleshooting?
User avatar
poolparty
 
Posts: 26
Joined: Mon Apr 30, 2018 11:34 am

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby lundman » Sun Nov 10, 2019 6:45 pm

Could you try the 1.9.3.1 I just posted, I repacked it with new version numbers since a few have already had issues with it.
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby poolparty » Mon Nov 11, 2019 2:38 am

Hi lundman,

Thank you for packaging 1.9.3.1!

The installer completes successfully but "zpool version" still gives me the same error message as in 1.9.3:

Code: Select all
$ zpool version
Failed to load ZFS module stack.
Load the module manually by running '/sbin/kextload /Library/Extensions/zfs.kext' as root.
The /dev/zfs device is missing and must be created.
Try running 'udevadm trigger' as root to create it.


Also in 1.9.3.1, kextutil gives the same error message as in 1.9.3:

Code: Select all
$ sudo kextutil /Library/Extensions/spl.kext 2>&1 | tail
Rejecting invalid/inauthentic kext for bundle id net.lundman.kernel.dependencies.33 at location file:///Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/.
/Library/StagedExtensions/Library/Extensions/spl.kext - no compatible dependency found for net.lundman.kernel.dependencies.33.
Rejecting invalid/inauthentic kext for bundle id net.lundman.kernel.dependencies.33 at location file:///Library/StagedExtensions/Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/.
Rejecting invalid/inauthentic kext for bundle id net.lundman.kernel.dependencies.33 at location file:///Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/.
/Library/StagedExtensions/Library/Extensions/spl.kext - no compatible dependency found for net.lundman.kernel.dependencies.33.
Diagnostics for /Library/Extensions/spl.kext:
Dependency Resolution Failures:
    Only incompatible kexts found for these libraries:
        net.lundman.kernel.dependencies.33


And, also in 1.9.3.1:

Code: Select all
$ sudo kextutil /Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext
Kext rejected due to system policy: <OSKext 0x7fed24c27be0 [0x7fff86e048e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/", ID = "net.lundman.kernel.dependencies.33" }
Diagnostics for /Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext:


The only thing that has really changed is the log output; notably, in 1.9.3.1, syspolicyd no longer reports notarization issues like it used to in 1.9.3.
This is what the system log says now when I run "sudo kextutil /Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext" on 1.9.3.1:

Code: Select all
$ log stream --type log --predicate '(process == "syspolicyd" || process beginswith "kext") && messageType == "error"'
[…]
[…] syspolicyd: Kernel Extension BLOCKED: <private>
[…] syspolicyd: Kernel Extension BLOCKED: <private>
[…] syspolicyd: Kernel Extension BLOCKED: <private>
[…] kextd: (IOKit) [com.apple.kext:kextlog] Kext rejected due to system policy: <OSKext 0x7fe937a570b0 [0x7fff86e048e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/", ID = "net.lundman.kernel.dependencies.33" }
[…] kextd: (IOKit) [com.apple.kext:kextlog] Rejecting invalid/inauthentic kext for bundle id net.lundman.kernel.dependencies.33 at location file:///Library/StagedExtensions/Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/.
[…] kextd: (IOKit) [com.apple.kext:kextlog] Kext rejected due to insecure location: <OSKext 0x7fe937a4a400 [0x7fff86e048e0]> { URL = "file:///Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/", ID = "net.lundman.kernel.dependencies.33" }
[…] kextd: (IOKit) [com.apple.kext:kextlog] Rejecting invalid/inauthentic kext for bundle id net.lundman.kernel.dependencies.33 at location file:///Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/.
[…] kextd: (IOKit) [com.apple.kext:kextlog] /Library/StagedExtensions/Library/Extensions/spl.kext - no compatible dependency found for net.lundman.kernel.dependencies.33.
[…] kextd: (IOKit) [com.apple.kext:kextlog] net.lundman.zfs's dependencies failed security checks; failing.


Any ideas as to what I can try to debug next?
User avatar
poolparty
 
Posts: 26
Joined: Mon Apr 30, 2018 11:34 am

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby lundman » Mon Nov 11, 2019 4:00 pm

I just installed it on my mojave VM to make sure it is supposed to work
Code: Select all
  120    1 0                  0x4fc      0x4fc      net.lundman.kernel.dependencies.33 (12.5.0) 12647AE2-57FB-35DB-AF57-4B25D060D845
  121    1 0xffffff7f82a7e000 0x11f5000  0x11f5000  net.lundman.spl (1.9.3) CE16BE25-8957-3D0F-9B78-7CE1C44910F7 <120 8 6 5 3 1>
  122    0 0xffffff7f83c73000 0x3b8000   0x3b8000   net.lundman.zfs (1.9.3) 0CBDFA7B-0202-3BF8-A90E-B5BD176209F2 <121 27 8 6 5 3 1>


It is peculiar that it is upset about the "net.lundman.kernel.dependencies.33" kext of all things.

Have you been at a place where you have "kextstat | grep lund" showing nothing, running "kextcache -i /" and rebooting, then installing 1.9.3.1?
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby JasonBelec » Tue Nov 19, 2019 8:03 am

This is still pooched on a brand new system, installs fine, no security button, but fails to run as posted earlier by others.

Kext rejected due to system policy: <OSKext 0x7f8d584677b0 [0x7fff878b3d10]> { URL = "file:///Library/StagedExtensions/Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/", ID = "net.lundman.kernel.dependencies.33" }
/Library/StagedExtensions/Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext does not authenticate; omitting.
Kext rejected due to system policy: <OSKext 0x7f8d89a0e6c0 [0x7fff878b3d10]> { URL = "file:///Library/StagedExtensions/Library/Extensions/spl.kext/", ID = "net.lundman.spl" }
/Library/StagedExtensions/Library/Extensions/spl.kext does not authenticate; omitting.
Kext rejected due to system policy: <OSKext 0x7f8d58465d10 [0x7fff878b3d10]> { URL = "file:///Library/StagedExtensions/Library/Extensions/zfs.kext/", ID = "net.lundman.zfs" }
/Library/StagedExtensions/Library/Extensions/zfs.kext does not authenticate; omitting.
^[[AKernelCache ID: 8A3C1AF33CF689C6244A6B3F87A35A11
Kext rejected due to system policy: <OSKext 0x7facb1cd5cf0 [0x7fff878b3d10]> { URL = "file:///Library/StagedExtensions/Library/Extensions/zfs.kext/", ID = "net.lundman.zfs" }
Kext rejected due to system policy: <OSKext 0x7facb1ccc250 [0x7fff878b3d10]> { URL = "file:///Library/StagedExtensions/Library/Extensions/spl.kext/", ID = "net.lundman.spl" }
Kext rejected due to system policy: <OSKext 0x7facc338dcb0 [0x7fff878b3d10]> { URL = "file:///Library/StagedExtensions/Library/Extensions/spl.kext/Contents/PlugIns/KernelExports.kext/", ID = "net.lundman.kernel.dependencies.33" }
JasonBelec
 
Posts: 32
Joined: Mon Oct 26, 2015 1:07 pm

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby JasonBelec » Tue Nov 19, 2019 11:28 am

OK, weird, now rebooting, the Security button appears in System Preferences, accepting, states another restart is required, so reboot. Woohoo, I can query pools.Perhaps the notes need to be updated. ;)
JasonBelec
 
Posts: 32
Joined: Mon Oct 26, 2015 1:07 pm

Re: 10.14 says 1.9.3 kexts are "incompatible"

Postby FabriceB » Sat Dec 14, 2019 5:59 am

I got stuck in the same situation with 1.9.3.1.

If found this:
https://forums.ivanti.com/s/article/How ... from-macOS

And indeed I see:
735AM5QEU3|net.lundman.kernel.dependencies.32|1|Joergen Lundman|5
735AM5QEU3|net.lundman.kernel.dependencies.33|0|Joergen Lundman|4

32 was allowed, not 33.

This link looks intersting too:
https://pikeralpha.wordpress.com/2017/0 ... n-loading/

This link provides the solution. Booting in rescue mode, and launching the command

spctl kext-consent add 735AM5QEU3

Solved my problem
FabriceB
 
Posts: 1
Joined: Sat Dec 14, 2019 5:54 am

PreviousNext

Return to General Help

Who is online

Users browsing this forum: Haravikk and 25 guests