34100083: NetBoot : KEXT issues on boot prevent booting with NBI of 10.13 17A352a

[openradar-mirror]

Description

Area: Server (macOS Server)

Summary: NetBooting a client against an NBI made with SIU against 10.13 beta7 (17A352a) results in a hang on the progress bar during the boot sequence. A verbose boot shows the following failures on screen:

• AppleKextExcludeList.kext has invalid signatures: Trust cache is disabled.
• Kext rejected due to invalid sigatures
• Can't load /System/Library/Filesystems/AppleShare/asp_tcp.kext - authentication problems
• /System/Library/Filesystems/AppleShare/asp_tcp.kext failed to load - (lib kern/ketx) authentication failure (file ownership/permisions).
• Error in security framework, error -67674
• Kext rejected due to invalid sigatures
• Can't load /System/Library/Filesystems/AppleShare/afpfs.kext - authentication problems
• /System/Library/Filesystems/AppleShare/afpfs.kext failed to load - (lib kern/ketx) authentication failure (file ownership/permisions).
• Error in security framework, error -67674

The boot never completes. I can use the same environment and boot the same client to a 10.11 NBI.

Steps to Reproduce: Create a NetBoot NBI against 10.13 beta 7 (17A352a) - no custom settings besides the user account. Setup the NBI on the server to use NFS, no model restrictions, and boot diskless. Configure a client to boot from the NBI and start the boot process.

Expected Results: The client would boot up to the NBI.

Observed Results: The boot process hangs. During a verbose boot the data on screen hints at kext issues.

Version: 10.13 beta 7 (17A352a)

Notes: 10.11 diskless NBIs hosted via NFS from the same server boot without issue.

Configuration: macOS 10.12.6 - Server.app version 5.3.1 Client is a MacBookPro9,2 NBI created macOS 10.13.0b7 (17A352a) NBI available over NFS, no model restrictions, Index = 123, "Make this image available for diskless booting" is checked.

- Product Version: 17A352a Created: 2017-08-27T01:48:14.671660 Originated: 2017-08-26T00:00:00 Open Radar Link: http://www.openradar.me/34100083

[kbygithub]

As of 17E197a, I am able to make a bootable image (couldn't before, although some of that might have been user error), and I do have the issues with diskless netboot vis a vis it being unable to load the kexts necessary for mounting an afpfs volume (also tried smb but that fails for other reasons; don't want to do an rw nfs mount). This appears to be due to something in the security framework necessary to load the extension at boot time isn't set up yet (the complaint about AppleKextExcludeList.kext having an invalid signature even though it is perfectly fine after boot) and is new to High Sierra because of the stricter extension loading.

However, my symptom isn't quite as bad as yours. I will boot, but it will fall back to putting the shadow file on the local disk under these circumstances.

Note that if you first boot into recovery mode, disable system integrity and then reboot onto the diskless system it works as expected. But it's a pain to disable and re-enable SIP each time you want to do this (and of course may not be feasible policy-wise as well as being poor security practice).