extern "C" {
#include <mach/kmod.h>
#include <libkern/kernel_mach_header.h>
#include <libkern/prelink.h>
}
#include <libkern/version.h>
#include <libkern/c++/OSContainers.h>
#include <libkern/OSKextLibPrivate.h>
#include <libkern/c++/OSKext.h>
#include <IOKit/IOLib.h>
#include <IOKit/IOService.h>
#include <IOKit/IODeviceTreeSupport.h>
#include <IOKit/IOCatalogue.h>
#if __x86_64__
#define KASLR_KEXT_DEBUG 0
#endif
#if PRAGMA_MARK
#pragma mark Bootstrap Declarations
#endif
extern "C" {
extern void (*record_startup_extensions_function)(void);
extern void (*load_security_extensions_function)(void);
};
static void bootstrapRecordStartupExtensions(void);
static void bootstrapLoadSecurityExtensions(void);
#if NO_KEXTD
extern "C" bool IORamDiskBSDRoot(void);
#endif
#if PRAGMA_MARK
#pragma mark Macros
#endif
#define CONST_STRLEN(str) (sizeof(str) - 1)
#if PRAGMA_MARK
#pragma mark Kernel Component Kext Identifiers
#endif
static const char * sKernelComponentNames[] = {
"com.apple.kernel",
"com.apple.kpi.bsd",
"com.apple.kpi.dsep",
"com.apple.kpi.iokit",
"com.apple.kpi.libkern",
"com.apple.kpi.mach",
"com.apple.kpi.private",
"com.apple.kpi.unsupported",
"com.apple.iokit.IONVRAMFamily",
"com.apple.driver.AppleNMI",
"com.apple.iokit.IOSystemManagementFamily",
"com.apple.iokit.ApplePlatformFamily",
NULL
};
#if PRAGMA_MARK
#pragma mark KLDBootstrap Class
#endif
class KLDBootstrap {
friend void bootstrapRecordStartupExtensions(void);
friend void bootstrapLoadSecurityExtensions(void);
private:
void readStartupExtensions(void);
void readPrelinkedExtensions(
kernel_section_t * prelinkInfoSect);
void readBooterExtensions(void);
OSReturn loadKernelComponentKexts(void);
void loadKernelExternalComponents(void);
void readBuiltinPersonalities(void);
void loadSecurityExtensions(void);
public:
KLDBootstrap(void);
~KLDBootstrap(void);
};
static KLDBootstrap sBootstrapObject;
KLDBootstrap::KLDBootstrap(void)
{
if (this != &sBootstrapObject) {
panic("Attempt to access bootstrap segment.");
}
record_startup_extensions_function = &bootstrapRecordStartupExtensions;
load_security_extensions_function = &bootstrapLoadSecurityExtensions;
}
KLDBootstrap::~KLDBootstrap(void)
{
if (this != &sBootstrapObject) {
panic("Attempt to access bootstrap segment.");
}
record_startup_extensions_function = 0;
load_security_extensions_function = 0;
}
void
KLDBootstrap::readStartupExtensions(void)
{
kernel_section_t * prelinkInfoSect = NULL;
OSKextLog( NULL,
kOSKextLogProgressLevel |
kOSKextLogGeneralFlag | kOSKextLogDirectoryScanFlag |
kOSKextLogKextBookkeepingFlag,
"Reading startup extensions.");
prelinkInfoSect = getsectbyname(kPrelinkInfoSegment, kPrelinkInfoSection);
if (prelinkInfoSect->size) {
readPrelinkedExtensions(prelinkInfoSect);
} else {
readBooterExtensions();
}
loadKernelComponentKexts();
loadKernelExternalComponents();
readBuiltinPersonalities();
OSKext::sendAllKextPersonalitiesToCatalog();
return;
}
void
KLDBootstrap::readPrelinkedExtensions(
kernel_section_t * prelinkInfoSect)
{
OSArray * infoDictArray = NULL; OSObject * parsedXML = NULL; OSDictionary * prelinkInfoDict = NULL; OSString * errorString = NULL; OSKext * theKernel = NULL;
kernel_segment_command_t * prelinkTextSegment = NULL; kernel_segment_command_t * prelinkInfoSegment = NULL;
void * prelinkData = NULL; vm_size_t prelinkLength = 0;
OSDictionary * infoDict = NULL;
IORegistryEntry * registryRoot = NULL; OSNumber * prelinkCountObj = NULL;
u_int i = 0;
#if NO_KEXTD
bool ramDiskBoot;
bool developerDevice;
bool dontLoad;
#endif
OSKextLog( NULL,
kOSKextLogProgressLevel |
kOSKextLogDirectoryScanFlag | kOSKextLogArchiveFlag,
"Starting from prelinked kernel.");
prelinkTextSegment = getsegbyname(kPrelinkTextSegment);
if (!prelinkTextSegment) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogDirectoryScanFlag | kOSKextLogArchiveFlag,
"Can't find prelinked kexts' text segment.");
goto finish;
}
#if KASLR_KEXT_DEBUG
unsigned long scratchSize;
vm_offset_t scratchAddr;
IOLog("kaslr: prelinked kernel address info: \n");
scratchAddr = (vm_offset_t) getsegdatafromheader(&_mh_execute_header, "__TEXT", &scratchSize);
IOLog("kaslr: start 0x%lx end 0x%lx length %lu for __TEXT \n",
(unsigned long)scratchAddr,
(unsigned long)(scratchAddr + scratchSize),
scratchSize);
scratchAddr = (vm_offset_t) getsegdatafromheader(&_mh_execute_header, "__DATA", &scratchSize);
IOLog("kaslr: start 0x%lx end 0x%lx length %lu for __DATA \n",
(unsigned long)scratchAddr,
(unsigned long)(scratchAddr + scratchSize),
scratchSize);
scratchAddr = (vm_offset_t) getsegdatafromheader(&_mh_execute_header, "__LINKEDIT", &scratchSize);
IOLog("kaslr: start 0x%lx end 0x%lx length %lu for __LINKEDIT \n",
(unsigned long)scratchAddr,
(unsigned long)(scratchAddr + scratchSize),
scratchSize);
scratchAddr = (vm_offset_t) getsegdatafromheader(&_mh_execute_header, "__KLD", &scratchSize);
IOLog("kaslr: start 0x%lx end 0x%lx length %lu for __KLD \n",
(unsigned long)scratchAddr,
(unsigned long)(scratchAddr + scratchSize),
scratchSize);
scratchAddr = (vm_offset_t) getsegdatafromheader(&_mh_execute_header, "__PRELINK_TEXT", &scratchSize);
IOLog("kaslr: start 0x%lx end 0x%lx length %lu for __PRELINK_TEXT \n",
(unsigned long)scratchAddr,
(unsigned long)(scratchAddr + scratchSize),
scratchSize);
scratchAddr = (vm_offset_t) getsegdatafromheader(&_mh_execute_header, "__PRELINK_INFO", &scratchSize);
IOLog("kaslr: start 0x%lx end 0x%lx length %lu for __PRELINK_INFO \n",
(unsigned long)scratchAddr,
(unsigned long)(scratchAddr + scratchSize),
scratchSize);
#endif
prelinkData = (void *) prelinkTextSegment->vmaddr;
prelinkLength = prelinkTextSegment->vmsize;
parsedXML = OSUnserializeXML((const char *)prelinkInfoSect->addr,
&errorString);
if (parsedXML) {
prelinkInfoDict = OSDynamicCast(OSDictionary, parsedXML);
}
if (!prelinkInfoDict) {
const char * errorCString = "(unknown error)";
if (errorString && errorString->getCStringNoCopy()) {
errorCString = errorString->getCStringNoCopy();
} else if (parsedXML) {
errorCString = "not a dictionary";
}
OSKextLog( NULL, kOSKextLogErrorLevel | kOSKextLogArchiveFlag,
"Error unserializing prelink plist: %s.", errorCString);
goto finish;
}
#if NO_KEXTD
developerDevice = true;
PE_parse_boot_argn("developer", &developerDevice, sizeof(developerDevice));
ramDiskBoot = IORamDiskBSDRoot();
#endif
infoDictArray = OSDynamicCast(OSArray,
prelinkInfoDict->getObject(kPrelinkInfoDictionaryKey));
if (!infoDictArray) {
OSKextLog( NULL, kOSKextLogErrorLevel | kOSKextLogArchiveFlag,
"The prelinked kernel has no kext info dictionaries");
goto finish;
}
OSKext::createExcludeListFromPrelinkInfo(infoDictArray);
for (i = 0; i < infoDictArray->getCount(); ++i) {
infoDict = OSDynamicCast(OSDictionary, infoDictArray->getObject(i));
if (!infoDict) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogDirectoryScanFlag | kOSKextLogArchiveFlag,
"Can't find info dictionary for prelinked kext #%d.", i);
continue;
}
#if NO_KEXTD
dontLoad = false;
if (developerDevice == false) {
OSBoolean *devOnlyBool = OSDynamicCast(OSBoolean,
infoDict->getObject(kOSBundleDeveloperOnlyKey));
if (devOnlyBool == kOSBooleanTrue) {
dontLoad = true;
}
}
if (ramDiskBoot == false) {
OSBoolean *ramDiskOnlyBool = OSDynamicCast(OSBoolean,
infoDict->getObject(kOSBundleRamDiskOnlyKey));
if (ramDiskOnlyBool == kOSBooleanTrue) {
dontLoad = true;
}
}
if (dontLoad == true) {
OSString *bundleID = OSDynamicCast(OSString,
infoDict->getObject(kCFBundleIdentifierKey));
if (bundleID) {
OSKextLog(NULL, kOSKextLogWarningLevel | kOSKextLogGeneralFlag,
"Kext %s not loading.", bundleID->getCStringNoCopy());
}
OSNumber *addressNum = OSDynamicCast(OSNumber,
infoDict->getObject(kPrelinkExecutableLoadKey));
OSNumber *lengthNum = OSDynamicCast(OSNumber,
infoDict->getObject(kPrelinkExecutableSizeKey));
if (addressNum && lengthNum) {
#error Pick the right way to free prelinked data on this arch
}
infoDictArray->removeObject(i--);
continue;
}
#endif
OSKext * newKext = OSKext::withPrelinkedInfoDict(infoDict);
OSSafeReleaseNULL(newKext);
}
registryRoot = IORegistryEntry::getRegistryRoot();
assert(registryRoot);
prelinkCountObj = OSNumber::withNumber(
(unsigned long long)infoDictArray->getCount(),
8 * sizeof(uint32_t));
assert(prelinkCountObj);
if (prelinkCountObj) {
registryRoot->setProperty(kOSPrelinkKextCountKey, prelinkCountObj);
}
OSKextLog( NULL,
kOSKextLogProgressLevel |
kOSKextLogGeneralFlag | kOSKextLogKextBookkeepingFlag |
kOSKextLogDirectoryScanFlag | kOSKextLogArchiveFlag,
"%u prelinked kexts",
infoDictArray->getCount());
#if CONFIG_KEXT_BASEMENT
ml_static_mfree((vm_offset_t) prelinkData, prelinkLength);
#endif
prelinkInfoSegment = getsegbyname(kPrelinkInfoSegment);
if (prelinkInfoSegment) {
ml_static_mfree((vm_offset_t)prelinkInfoSegment->vmaddr,
(vm_size_t)prelinkInfoSegment->vmsize);
}
finish:
OSSafeRelease(errorString);
OSSafeRelease(parsedXML);
OSSafeRelease(theKernel);
OSSafeRelease(prelinkCountObj);
return;
}
#define BOOTER_KEXT_PREFIX "Driver-"
typedef struct _DeviceTreeBuffer {
uint32_t paddr;
uint32_t length;
} _DeviceTreeBuffer;
void
KLDBootstrap::readBooterExtensions(void)
{
IORegistryEntry * booterMemoryMap = NULL; OSDictionary * propertyDict = NULL; OSCollectionIterator * keyIterator = NULL; OSString * deviceTreeName = NULL;
const _DeviceTreeBuffer * deviceTreeBuffer = NULL; char * booterDataPtr = NULL; OSData * booterData = NULL;
OSKext * aKext = NULL;
OSKextLog( NULL,
kOSKextLogProgressLevel |
kOSKextLogDirectoryScanFlag | kOSKextLogKextBookkeepingFlag,
"Reading startup extensions from booter memory.");
booterMemoryMap = IORegistryEntry::fromPath( "/chosen/memory-map", gIODTPlane);
if (!booterMemoryMap) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogGeneralFlag | kOSKextLogDirectoryScanFlag,
"Can't read booter memory map.");
goto finish;
}
propertyDict = booterMemoryMap->dictionaryWithProperties();
if (!propertyDict) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogDirectoryScanFlag,
"Can't get property dictionary from memory map.");
goto finish;
}
keyIterator = OSCollectionIterator::withCollection(propertyDict);
if (!keyIterator) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogGeneralFlag,
"Can't allocate iterator for driver images.");
goto finish;
}
OSKext::createExcludeListFromBooterData(propertyDict, keyIterator);
keyIterator->reset();
while ( ( deviceTreeName =
OSDynamicCast(OSString, keyIterator->getNextObject() ))) {
const char * devTreeNameCString = deviceTreeName->getCStringNoCopy();
OSData * deviceTreeEntry = OSDynamicCast(OSData,
propertyDict->getObject(deviceTreeName));
OSSafeReleaseNULL(booterData);
if (!deviceTreeEntry) {
continue;
}
if (strncmp(devTreeNameCString,
BOOTER_KEXT_PREFIX,
CONST_STRLEN(BOOTER_KEXT_PREFIX))) {
continue;
}
deviceTreeBuffer = (const _DeviceTreeBuffer *)
deviceTreeEntry->getBytesNoCopy(0, sizeof(deviceTreeBuffer));
if (!deviceTreeBuffer) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogDirectoryScanFlag,
"Device tree entry %s has NULL pointer.",
devTreeNameCString);
goto finish; }
booterDataPtr = (char *)ml_static_ptovirt(deviceTreeBuffer->paddr);
if (!booterDataPtr) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogDirectoryScanFlag,
"Can't get virtual address for device tree entry %s.",
devTreeNameCString);
goto finish;
}
booterData = OSData::withBytesNoCopy(booterDataPtr,
deviceTreeBuffer->length);
if (!booterData) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogGeneralFlag,
"Error - Can't allocate OSData wrapper for device tree entry %s.",
devTreeNameCString);
goto finish;
}
booterData->setDeallocFunction(osdata_phys_free);
OSKext * newKext = OSKext::withBooterData(deviceTreeName, booterData);
OSSafeRelease(newKext);
booterMemoryMap->removeProperty(deviceTreeName);
}
finish:
OSSafeRelease(booterMemoryMap);
OSSafeRelease(propertyDict);
OSSafeRelease(keyIterator);
OSSafeRelease(booterData);
OSSafeRelease(aKext);
return;
}
#define COM_APPLE "com.apple."
void
KLDBootstrap::loadSecurityExtensions(void)
{
OSDictionary * extensionsDict = NULL; OSCollectionIterator * keyIterator = NULL; OSString * bundleID = NULL; OSKext * theKext = NULL; OSBoolean * isSecurityKext = NULL;
OSKextLog( NULL,
kOSKextLogStepLevel |
kOSKextLogLoadFlag,
"Loading security extensions.");
extensionsDict = OSKext::copyKexts();
if (!extensionsDict) {
return;
}
keyIterator = OSCollectionIterator::withCollection(extensionsDict);
if (!keyIterator) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogGeneralFlag,
"Failed to allocate iterator for security extensions.");
goto finish;
}
while ((bundleID = OSDynamicCast(OSString, keyIterator->getNextObject()))) {
const char * bundle_id = bundleID->getCStringNoCopy();
if (!bundle_id ||
(strncmp(bundle_id, COM_APPLE, CONST_STRLEN(COM_APPLE)) != 0)) {
continue;
}
theKext = OSDynamicCast(OSKext, extensionsDict->getObject(bundleID));
if (!theKext) {
continue;
}
isSecurityKext = OSDynamicCast(OSBoolean,
theKext->getPropertyForHostArch(kAppleSecurityExtensionKey));
if (isSecurityKext && isSecurityKext->isTrue()) {
OSKextLog( NULL,
kOSKextLogStepLevel |
kOSKextLogLoadFlag,
"Loading security extension %s.", bundleID->getCStringNoCopy());
OSKext::loadKextWithIdentifier(bundleID->getCStringNoCopy(),
false);
}
}
finish:
OSSafeRelease(keyIterator);
OSSafeRelease(extensionsDict);
return;
}
OSReturn
KLDBootstrap::loadKernelComponentKexts(void)
{
OSReturn result = kOSReturnSuccess; OSKext * theKext = NULL; const char ** kextIDPtr = NULL;
for (kextIDPtr = &sKernelComponentNames[0]; *kextIDPtr; kextIDPtr++) {
OSSafeReleaseNULL(theKext);
theKext = OSKext::lookupKextWithIdentifier(*kextIDPtr);
if (theKext) {
if (kOSReturnSuccess != OSKext::loadKextWithIdentifier(
*kextIDPtr, false)) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogDirectoryScanFlag | kOSKextLogKextBookkeepingFlag,
"Failed to initialize kernel component %s.", *kextIDPtr);
result = kOSReturnError;
}
}
}
OSSafeRelease(theKext);
return result;
}
#define COM_APPLE_KEC "com.apple.kec."
void
KLDBootstrap::loadKernelExternalComponents(void)
{
OSDictionary * extensionsDict = NULL; OSCollectionIterator * keyIterator = NULL; OSString * bundleID = NULL; OSKext * theKext = NULL; OSBoolean * isKernelExternalComponent = NULL;
OSKextLog( NULL,
kOSKextLogStepLevel |
kOSKextLogLoadFlag,
"Loading Kernel External Components.");
extensionsDict = OSKext::copyKexts();
if (!extensionsDict) {
return;
}
keyIterator = OSCollectionIterator::withCollection(extensionsDict);
if (!keyIterator) {
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogGeneralFlag,
"Failed to allocate iterator for Kernel External Components.");
goto finish;
}
while ((bundleID = OSDynamicCast(OSString, keyIterator->getNextObject()))) {
const char * bundle_id = bundleID->getCStringNoCopy();
if (!bundle_id ||
(strncmp(bundle_id, COM_APPLE_KEC, CONST_STRLEN(COM_APPLE_KEC)) != 0)) {
continue;
}
theKext = OSDynamicCast(OSKext, extensionsDict->getObject(bundleID));
if (!theKext) {
continue;
}
isKernelExternalComponent = OSDynamicCast(OSBoolean,
theKext->getPropertyForHostArch(kAppleKernelExternalComponentKey));
if (isKernelExternalComponent && isKernelExternalComponent->isTrue()) {
OSKextLog( NULL,
kOSKextLogStepLevel |
kOSKextLogLoadFlag,
"Loading kernel external component %s.", bundleID->getCStringNoCopy());
OSKext::loadKextWithIdentifier(bundleID->getCStringNoCopy(),
false);
}
}
finish:
OSSafeRelease(keyIterator);
OSSafeRelease(extensionsDict);
return;
}
void
KLDBootstrap::readBuiltinPersonalities(void)
{
OSObject * parsedXML = NULL; OSArray * builtinExtensions = NULL; OSArray * allPersonalities = NULL; OSString * errorString = NULL; kernel_section_t * infosect = NULL; OSCollectionIterator * personalitiesIterator = NULL; unsigned int count, i;
OSKextLog( NULL,
kOSKextLogStepLevel |
kOSKextLogLoadFlag,
"Reading built-in kernel personalities for I/O Kit drivers.");
infosect = getsectbyname("__BUILTIN", "__info");
if (!infosect) {
goto finish;
}
parsedXML = OSUnserializeXML((const char *) (uintptr_t)infosect->addr,
&errorString);
if (parsedXML) {
builtinExtensions = OSDynamicCast(OSArray, parsedXML);
}
if (!builtinExtensions) {
const char * errorCString = "(unknown error)";
if (errorString && errorString->getCStringNoCopy()) {
errorCString = errorString->getCStringNoCopy();
} else if (parsedXML) {
errorCString = "not an array";
}
OSKextLog( NULL,
kOSKextLogErrorLevel |
kOSKextLogLoadFlag,
"Error unserializing built-in personalities: %s.", errorCString);
goto finish;
}
count = builtinExtensions->getCount();
allPersonalities = OSArray::withCapacity(count * 3);
for (i = 0; i < count; i++) {
OSDictionary * infoDict = NULL; OSString * moduleName = NULL; OSDictionary * personalities; OSString * personalityName;
OSSafeReleaseNULL(personalitiesIterator);
infoDict = OSDynamicCast(OSDictionary,
builtinExtensions->getObject(i));
if (!infoDict) {
continue;
}
moduleName = OSDynamicCast(OSString,
infoDict->getObject(kCFBundleIdentifierKey));
if (!moduleName) {
continue;
}
OSKextLog( NULL,
kOSKextLogStepLevel |
kOSKextLogLoadFlag,
"Adding personalities for built-in driver %s:",
moduleName->getCStringNoCopy());
personalities = OSDynamicCast(OSDictionary,
infoDict->getObject("IOKitPersonalities"));
if (!personalities) {
continue;
}
personalitiesIterator = OSCollectionIterator::withCollection(personalities);
if (!personalitiesIterator) {
continue; }
while ((personalityName = OSDynamicCast(OSString,
personalitiesIterator->getNextObject()))) {
OSDictionary * personality = OSDynamicCast(OSDictionary,
personalities->getObject(personalityName));
OSKextLog( NULL,
kOSKextLogDetailLevel |
kOSKextLogLoadFlag,
"Adding built-in driver personality %s.",
personalityName->getCStringNoCopy());
if (personality && !personality->getObject(kCFBundleIdentifierKey)) {
personality->setObject(kCFBundleIdentifierKey, moduleName);
}
allPersonalities->setObject(personality);
}
}
gIOCatalogue->addDrivers(allPersonalities, false);
finish:
OSSafeRelease(parsedXML);
OSSafeRelease(allPersonalities);
OSSafeRelease(errorString);
OSSafeRelease(personalitiesIterator);
return;
}
#if PRAGMA_MARK
#pragma mark Bootstrap Functions
#endif
static void bootstrapRecordStartupExtensions(void)
{
sBootstrapObject.readStartupExtensions();
return;
}
static void bootstrapLoadSecurityExtensions(void)
{
sBootstrapObject.loadSecurityExtensions();
return;
}