How to debug kernel panic on MAC OS Catalina, as Catalina is on Read-only File system

0
votes

Facing kernel panic on accessing "Offline" attribute of SMB protocol in our custom kext. How to debug these kernel panics on MAC OS Catalina.

The debugging kernel extension steps are not supported for Catalina because of Read-only file system. Also kext with IOKit.framework does not load on MAC OS 10.14.x with error

The super class vtable '__ZTV9IOService' for vtable '__ZTV23com_microfocus_cisiokit' is out of date. Make sure your kext has been built against the correct headers.
The super class vtable '__ZTV12IOUserClient' for vtable '__ZTV8cisiokit' is out of date. Make sure your kext has been built against the correct headers.

Is there any documentation that specifies how to debug kernel panic on mac os catalina with read-only file system set up?

Note: Disabling SIP also does not work.

Thanks in advance.

2
macosmacos-catalinaiokitkernel-extensionpanic
You're asking 2 entirely unrelated questions here - please don't do that in future.pmdj
"bc its read-only", well you could just remount it as read-write with sip off. 2nd, are you trying to do live debugging?, otherwise the auto generated panic logs under /Library/Logs/Diagn.. should be sufficientJohn Smith

2 Answers

1
votes

Answer to you questions about debugging macOS kernel extensions:

There is no "/Volumes/KernelDebugKit/mach_kernel" as per the documentation

  1. Kernel Debug Kits since about OS X 10.10 must be installed. When you download and open the KDK .dmg, you need to run the installer it contains.
  2. The KDK's kernels are then permanently installed on your system under /Library/Developer/KDKs/KDK_[[os-version]].kdk/System/Library/Kernels/
  3. The default kernel image is no longer named mach_kernel, but simply kernel.

e.g. /Library/Developer/KDKs/KDK_10.15_19A536g.kdk/System/Library/Kernels/kernel

The debugging kernel extension steps are not supported for Catalina because of Read-only file system.

Unable to create PanicDumps directory to collect panic through kdump daemon under '/' volume, as Catalina is read-only file system Ref: https://developer.apple.com/library/archive/technotes/tn2004/tn2118.html

Note that kdumpd accepts the location of the dumps as its command line argument, so you can select a writable location. You will need to make a copy of the launchd plist under /Library/LaunchDaemons anyway, as the original under /System/Library/LaunchDaemons is not writable. However, I am not 100% sure if kernel dumps still work correctly on modern macOS versions.

Note also that you can technically remount the readonly OS base volume read-write. I don't recommend that on anything other than a test system, however.

0
votes

Answer to your question about kext loading:

Also kext with IOKit.framework does not load on MAC OS 10.14.x with error

Unable to load kexts with IOKit framework references with errors on MAC OS 10.14 to debug:

The super class vtable '__ZTV9IOService' for vtable '__ZTV23com_microfocus_cisiokit' is out of date. Make sure your kext has been built against the correct headers.
The super class vtable '__ZTV12IOUserClient' for vtable '__ZTV8cisiokit' is out of date. Make sure your kext has been built against the correct headers.

The clue is in the error message here: Make sure your kext has been built against the correct headers.

This error is what you encounter when you build a kext using a macOS SDK that is newer than the OS version on which you are attempting to load it. So in your case, I assume you are using the macOS 10.15 SDK to build the kext and expecting it to load on macOS 10.14. Don't do that, use the 10.14 SDK, or whichever version matches the oldest macOS version you wish to support with your kext.

Note also that kext building uses the Kernel.framework, not the IOKit.framework. The latter is used for building user space tools, libraries, and applications which access the I/O Kit.