How to compile Lilu.kext?

[vrqq]

When I try to load Lilu.kext compiled in MacOS 10.15 Catalina, it took me a problem: kxld[as.vit9696.Lilu]: The vtable '__ZTV4Lilu' is malformed. Make sure your kext has been built against the correct headers.

Xcode Version 12.4 (12D4e) macOS Catalina 10.15.7 (19H2026)

The build steps below:

1. get the latest version of Lilu: git clone https://github.com/acidanthera/Lilu.git
2. In Lilu project folder, clone MacKernelSDK project git clone https://github.com/acidanthera/MacKernelSDK.git
3. Build Lilu in release xcodebuild -configuration Release
4. set the permission and try to load kext kextutil -v Lilu.kext

Then the error log shown:

root@vrqqs-MBP # kextutil -v ./Lilu.kext
Defaulting to kernel file '/System/Library/Kernels/kernel'
Kext with invalid signature (-67050) allowed: <OSKext 0x7ff3f5f18960 [0x7fff8eed3ce0]> { URL = "file:///Users/vrqq/Lilu/build/Release/Lilu.kext/", ID = "as.vit9696.Lilu" }
Code Signing Failure: code signature is invalid
/Users/vrqq/Lilu/build/Release/Lilu.kext appears to be loadable (not including linkage for on-disk libraries).
Loading /Users/vrqq/Lilu/build/Release/Lilu.kext.
Disabling KextAudit: SIP is off
KextAudit initialized: audit=F
(kernel) kxld[as.vit9696.Lilu]: The vtable '__ZTV4Lilu' is malformed. Make sure your kext has been built against the correct headers.
(kernel) kxld[as.vit9696.Lilu]: The vtable '__ZTV4Lilu' is malformed. Make sure your kext has been built against the correct headers.
(kernel) Can't load kext as.vit9696.Lilu - link failed.
(kernel) Failed to load executable for kext as.vit9696.Lilu.
(kernel) Kext as.vit9696.Lilu failed to load (0xdc008016).
(kernel) Failed to load kext as.vit9696.Lilu (error 0xdc008016).
Failed to load /Users/vrqq/Lilu/build/Release/Lilu.kext - (libkern/kext) link error.
Failed to load /Users/vrqq/Lilu/build/Release/Lilu.kext - (libkern/kext) link error.
Check library declarations for your kext with kextlibs(8).

And I compare the file 'MacKernelSDK/Headers/DriverKit/IOService.h' with '/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/DriverKit20.2.sdk/System/DriverKit/System/Library/Frameworks/DriverKit.framework/Headers/IOService.h' I found that the declaration in Xcode.app have a function virtual kern_return_t RequireMaxBusStall(uint64_t maxBusStall); but MacKernelSDK not.

The problem still exist after I add an additional xcode-buildsetting MACOSX_DEPLOYMENT_TARGET=10.15

It is a bug or I use a wrong compile arguments?

[vit9696]

I think currently our kexts can only be loaded with OpenCore. Does your compiled kext load with OpenCore?

[vrqq]

I think currently our kexts can only be loaded with OpenCore. Does your compiled kext load with OpenCore?

I boot my MacOS by original EFI and load in normal desktop environment.

Is it possible to load Kext on the original OS in an easy way? Using 'RestrictEvent.kext' as assistance, I want to run the OS-installer.app to upgrade, sign the kext on my own, and then create a patch without Opencore.

[vit9696]

We have not investigated this ourselves. Feel free to investigate on your own. To be honest, I think it may be possible after updating some SDK headers, but this needs time, trial & error.

[vrqq]

I think currently our kexts can only be loaded with OpenCore. Does your compiled kext load with OpenCore?

How can I check the OS booted by OpenCore rather than original EFI? I attempt to download and compile Lilu-SourceCode, and then put it into USB driver together with OpenCore-Release, but the issue persists.

BTW: Is XNU-Kernel replaced by Opencore during booting? I found that OS-Inside and MacKernelSDK had different interfaces.

[vrqq]

We have not investigated this ourselves. Feel free to investigate on your own. To be honest, I think it may be possible after updating some SDK headers, but this needs time, trial & error.

I attempt to compile Lilu.kext with xnu-source-code (with some secret header API) and Kernel.framework in XCode. Upon loading it with kextutil, the error log showed follows:

Disabling KextAudit: SIP is off
KextAudit initialized: audit=F
(kernel) kxld[as.vit9696.Lilu]: The following symbols are unresolved for this kext:
(kernel) kxld[as.vit9696.Lilu]:     __Z19mac_policy_registerP15mac_policy_confPjPv
(kernel) kxld[as.vit9696.Lilu]:     __Z21mac_policy_unregisterj
(kernel) kxld[as.vit9696.Lilu]:     ___chkstk_darwin
(kernel) Can't load kext as.vit9696.Lilu - link failed.
(kernel) Failed to load executable for kext as.vit9696.Lilu.
(kernel) Kext as.vit9696.Lilu failed to load (0xdc008016).
(kernel) Failed to load kext as.vit9696.Lilu (error 0xdc008016).

It seems that a kernel hack is required to expose the functions indicated in the error report. The commit in XNU source code shows that interfaces has designated as PRIVATE. MAC policy is not KPI, see Technical Q&A QA1574 https://github.com/apple-oss-distributions/xnu/blob/main/security/mac_policy.h https://stackoverflow.com/questions/37210080/iokit-and-trustedbsd-policy

How does Opencore manage the interface exposure risk? I discovered that CVE-2021-30853 mentioned the mac_policy API.

[vit9696]

Kexts injected by OpenCore are trusted as they are protected via OpenCore vaulting.

[vrqq]

I was able to load the Lilu.kext from the Github-Release for my OS, even though it was not booted by Opencore, but the version I created myself cannot.
The SDK in Xcode 12.4 is MacOSX11.1.sdk and MacOSX10.15.sdk. I compared the environment variables but found no difference with Github-action. Where can I find the build guide? Thank you very much.

[mikebeaton]

GitHub actions produce the build which is working for you, so you should be able to start there.