
Debugging macOS Kernel Using VirtualBox - lilbunnyfoobar
https://klue.github.io/blog/2017/04/macos_kernel_debugging_vbox/
======
awalton
[puts on VMware hat].

VMware's virtualization software (ESXi, Workstation, Fusion) has the concept
of "CPUID masks", which can be used to mask off features to the guest from the
host's CPU for this kind of work. Since it is a very advanced concept, we
didn't expose it in the UI for Workstation or Fusion, but the VMX shipped with
both products should support it as far as I know (I don't _think_ we've ever
disabled that feature for a product anyhow). If you dig into the menus you can
set the flag values on ESXi, as sometimes for fleets we have admins that want
to normalize their CPU flags across all of their virtual hardware (I believe
this was very popular when the NX-bit was new).

However, you're not at a lost for the desktop products. Editing the [vm-
name].vmx file and adding the lines to control the cpuid registers is a pretty
simple endeavor; the lines are formatted 'cpuid.<cpuid-in>.<GPR> = "value"',
and value should contain the mask for the whole 32-bit register, with a dash
'-' for no special processing of this flag, "h" for using the host's setting
of this flag, '0' for explicit disabling the flag, or '1' for explicit
enabling the flag. For example:

    
    
        cpuid.7.ebx = "--------------------0-----------"
    

disables the (if I counted correctly) 20th bit from the return of CPUID in the
ebx register when CPUID is passed in '7' as a parameter to eax, which should
correspond to disabling the SMAP CPUID flag.

(The VMX file is a bit non-obvious to get to on macOS, as we use 'packages' to
make VMs nicer to handle, but simply right clicking the package and selecting
"show package contents" should reveal the VMX file.)

[takes off VMware hat].

~~~
userbinator
VirtualBox has a similar feature, via "VBoxManage modifyvm --cpuidset <leaf>
<eax> <ebx> <ecx> <edx>", which also appears to be equally as undocumented and
obscure. :-)

~~~
josteink
I've seen these flags mentioned before, for both VirtualBox and VMWare. And
it's always without exception been in conjunction with trying to get OSX
running in a VM on non-Apple hardware.

I'm pretty sure both VirtualBox and VMWare could create a Apple-friendly
template with these settings already tweaked for what OSX expects. In fact it
would be trivial.

But for some reason they haven't.

Considering how VMWare Workstation Pro actually supports running MacOS on
Windows, but has the relevant config removed in production-builds (needing it
to be hacked back in), I'm going to assume there's some kind of political
pressure going on here. Maybe even from a certain Cupertino-based company,
wanting to prevent the mainline virtualization providers from commodotizing
their commodity, run of the mill, standard X86 PC operating system.

That's a shame, because if they didn't, it would certainly make it much easier
for me to build a solid and reliable CI pipeline for our MacOS and iOS stuff.

------
Razengan
Are there any good, up-to-date resources on macOS internals that detail
everything from the boot process to the GUI? I could only find [0], and
Apple's [1] was last updated in 2013..

[0]
[http://www.newosxbook.com/index.php?page=book](http://www.newosxbook.com/index.php?page=book)

[1]
[https://developer.apple.com/library/content/documentation/Da...](https://developer.apple.com/library/content/documentation/Darwin/Conceptual/KernelProgramming/booting/booting.html#//apple_ref/doc/uid/TP30000905-SW2-BAJJBJEG)

~~~
klue07
Jonathan Levin's MOXiL 2nd Edition volume 3 is out and I recommend you get it.
1st edition is still very good and can hold you off until the other volumes
are out.

Amit Singh has a Mac OS X Internals A Systems Approach that is good we well.

There are also various talks at security conferences that detail parts of
macOS/iOS.

------
jordigh
Is this completely allowed? I'm probably misinformed, but I thought either
certain debugging calls or certain kinds of virtualisation were disallowed by
Apple. The fact that this kind of tutorial using virtualbox exists makes me
think that someone is trying to work around something. I thought you weren't
allowed to debug parts of macOS. Are there absolutely no limits, legal or
technical?

~~~
klue07
Author here. Nothing in the post is illegal.

Apple allows 3rd party kernel extensions so naturally you would need to be
able to debug the kernel. In my post, I link plenty of official Apple
documentation that provide information on how to debug the kernel.

~~~
jordigh
Yes, but that's not the whole OS. Where do your rights end to inspect the
software and hardware you bought?

Also, I was careful to not say legal/illegal but allowed/disallowed. I am
pretty sure that macOS disables some debugging calls, or at least it used to.
What are the limits?

~~~
bazinga888
Not to be rude, but why do you care?

If it's illegal, it's up to Apple to deal with it. Why go out of the way doing
free work for them?

~~~
jordigh
Because it has affected me in the past. I've had to debug stuff in the past in
macOS, thinking it would be similar to BSD, and was thwarted by technical
means to disable debuggers. I've found the experience quite distasteful and
was trying to remember what the problems were that I faced.

------
diimdeep
Anyone know if this setup can be used to debug iokit (communication with
external monitor over I2C)?

There is 100% method to freeze system while communicating with external
monitor using iokit framework over I2C.
[https://apple.stackexchange.com/questions/61045/does-
apple-s...](https://apple.stackexchange.com/questions/61045/does-apple-
support-ddc-ci-for-3rd-party-displays-via-apples-thunderbolt-to-dvi)

------
lmb
I've tried this recently, and I can't get 10.11 to build the 10.11 xnu. Parts
of the kernel throw deprecation errors, etc. Pretty weird actually. I'm
assuming this is due to toolchain mismatch, but I haven't been able to figure
it out. I'd appreciate it if anyone has any pointers.

~~~
klue07
Remove "-Werror".

Sometimes there are too many errors to deal with. I find building on a machine
that's on the exact macOS version that you are trying to build does the trick.

------
sigjuice
This probably does not need a full Xcode install, just the command line tools.
The CLT can be installed on a pristine macOS system just by typing _cc_ inside
Terminal.

------
kilroy123
I can't get virtualbox to boot. No matter what I try, I end up with this
error:

gIOScreenLockState

