Reporting a SEV-1 *BUG* in Monterey 12.0.1 on M1 Macs

Michael Sanders2 wrote:

Substitute "approve", by "Apple-signed KEXTs".

Technically speaking, they are "approved" by Apple somewhat. Apple approves a developer's application for a kernel-signing entitlement. The idea is that known malware developers would be rejected. But kernel extensions are such a pain that it is unlikely that anyone would make one maliciously. They are definitely not signed by Apple. They are signed by their developers.

I have no idea what "modern" versus "legacy" KEXTs are, but these are all extensions from software applications released within the last 1-6 months.

Apple officially deprecated kernel extensions in macOS 10.15 "Catalina". They were replaced with something called "system extensions". Unfortunately, in all of its user-facing apps and documentation, Apple calls them all "system extensions". But they are very different.

Apple has been discouraging kernel extensions for some time now. In some cases, they are outright disabling them if a true system extension could do the job. But in many respects, there are about as many user-authentication hoops to jump through with a system extension as there are for a kernel extension. Apple allows them, but a developer would have to have a really, really good reason to make a user approve them.

And finally, to address your original question, or statement, rather. This is not a bug. It is by design. I could have gone to even greater lengths to describe the social and financial pressures that Apple is putting on third party developers to steer them towards games instead of system utilities, but I thought that you had probably heard enough. Rest assured, I only scratched the surface. This is yet another aspect of that. It is even fully documented by Apple: Kernel extensions in macOS - Apple Support

To paraphrase that document, one or more of your kernel extensions are making the operating system suspicious. It has decided that your operating system is no longer full secure enough for credit card processing. Note that this may not actually have anything to do with Apple's discouragement of system utilities. This particular "feature" could be a regulatory requirement from the credit card industry. It might even be preemptive compliance. The credit card industry doesn't move very fast, so it is in Apple's interests to avoid giving them the opportunity to arbitrarily Apple disable kernel extensions at some point later on. Plus, it coincides with Apple's efforts to discourage system utilities anyway, so what's the harm? To Apple, I mean. If there is a conflict between some freebie or cheap 3rd party apps and financial services revenue, who do you think Apple is going to side with?

Not really a question; more a fact.

Then why did you make the post?

FYI: My 3rd-party (Apple Approved)

I'm not sure what that means. Apple doesn't "approve" of any third-party kernel extensions. They tolerate them, to some degree, but they certainly do not approve of them.

Are they all "modern" kernel extensions or are they "legacy" kernel extensions.

Substitute "approve", by "Apple-signed KEXTs". I have no idea what "modern" versus "legacy" KEXTs are, but these are all extensions from software applications released within the last 1-6 months.

Apple doesn't sign third-party software. The developer has to sign the kext using their own kext-signing certificate, but Apple doesn't sign them indicating any sort of approval.

Legacy kexts are ones written for pre-Big Sur OS versions. Modern kexts are designed to work in a more restricted environment to help mitigate the security and stability issues brought by third-party kexts. If they were Legacy kexts, you would have to set the Startup Security to "Reduced Security" in order for them to load on an M1 Mac. Reduced Security and ApplePay are mutually exclusive.

For me, third-party kernel extensions have too much potential to open a vulnerability in the system, thus making them incompatible with conducting any kind of sensitive transactions on the computer.

but I am stuck with (for example) 24 TB of NTFS drive data that I must be able to write to. Tragic, for sure.

Why are you stuck with it? Do you use it on Windows, also?

All these extensions require me to boot into RecoveryOS, then change my security to the lesser (allow 3rd party extensions).

Then as etresoft stated, this is not a bug. It is as designed.

It's not a matter of being stuck, it's all the result of your choices. If things just aren't going your way, then it's time for what my Economics 101 professor said, "Time for an agonizing reappraisal".

Pardon any lack of knowledge on my part, but can't you avoid loading third party kernel extensions by simply booting into safe mode. If so, couldn't you perform the ApplePay operations required in safe mode and then return to the normal operating mode afterwards?

- Pie Lover

The link I provided above has an entire paragraph about how Apple Silicon machines have a different security architecture. It specifically mentions how this can affect Apple Pay.

Nobody is going to actually try and prove you wrong, that's not what this forum exists to do.

If your dissatisfaction is that high, tell Apple. We're just regular user like you.