Integrity checks for kernel extensions in OSX

Question

is there any way to check for the integrity and validity of a Kernel Extension in OS X? I have to make sure that an extension which bundle name starts with com.apple is a real extension from Apple. Maybe a certificate or whatever footprint that reveal if the kernel extension comes from Apple or Not.

Answer 1

Kernel extensions can reside either in /Library/Extensions or in /System/Library/Extensions.

To verify the validity and authenticity of a kernel extension use

codesign --verify -v /Library/Extensions/hp_io_enabler_compound.kext

in the Terminal. (the actual kernel extension is just a sample of one 3rd party kernel extension from my OS).

The kernel extension in /System/Library/Extension are usually preinstalled, part of the MacOS itself, and cannot be changed/removed.

use man codesign to explore more options to extract verbose information about the extension - their entitlements, requirements, list of executables, the chain of trust, etc.

Answer 2

After working on this issue, finally I found that there is no way to check for any valid footprint for a Kernel Extension. For example, by default every machine has a large group of extensions tagged with the com.apple identifier and you virtually can use the same bundle identifier to build your own extensions so it is impossible to distinguish which extensions are from Apple and which aren't. In conclusion you could have extensions that are making phishing in your system and are secure installed without any chance to detect it and remove it. This suppose a big hole in security layer of OS X.