My question
I already have the correct entitlements, provisioning profile and development certification, and I have turned off SIP, turned on systemextensions developer on, but it still shows provider entitlements check failed.
Similar problem
PCIDriverKit Entitlement check failed (migrate KEXT to DEXT)
After installing dext correctly, it is found that it cannot be started normally, and the following error is reported.
$ sudo dmesg | grep SmiPcie
[ 389.798271]: Driver com.wuhanjingce.driverkit.SmiPcie has crashed 0 time(s)
[ 389.798283]: DK: SmiPcie-0x100000d56 waiting for server com.wuhanjingce.driverkit.SmiPcie-100000d56
[ 389.861199]: Sandbox apply: taskgated-helper[1409] <bytes>Sandbox: taskgated-helper(1409) deny(1) mach-lookup com.apple.CoreServices.coreservicesdSandbox: taskgated-helper(1409) deny(1) mach-lookup com.apple.DiskArbitration.diskarbitrationd7 duplicate reports for Sandbox: taskgated-helper(1409) deny(1) mach-lookup com.apple.DiskArbitration.diskarbitrationdSandbox: taskgated-helper(1409) deny(1) file-read-metadata /Volumes/IKapC3 duplicate reports for Sandbox: taskgated-helper(1409) deny(1) file-read-metadata /Volumes/IKapCSandbox: taskgated-helper(1409) deny(1) mach-lookup com.apple.DiskArbitration.diskarbitrationdSandbox: taskgated-helper(1409) deny(1) user-preference-read kCFPreferencesAnyApplication/Library/SystemExtensions/C1281214-E917-4687-83D0-DA9A41D8E4FD/com.wuhanjingce.driverkit.SmiPcie.dext/com.wuhanjingce.driverkit.SmiPcie[1408] ==> com.apple.dextDK: com.wuhanjingce.driverkit.SmiPci[1408] has team identifier 5X63ZZ6MH3
[ 389.898111]: DK: SmiPcie-0x100000d56: provider entitlements check failed
[ 389.898120]: DK: IOUserServer(com.wuhanjingce.driverkit.SmiPcie-0x100000d56)::exit(Entitlements check failed)
And after setting according to the method provided in the introduction, the device can be opened normally.
sudo nvram boot-args="dk=0x8001"
But my dext needs to be published correctly,Referring to the answer below, I confirmed some of my settings.
Sign with Apple Development.
dext
installer app
Entitlements.
The entitlements file can only automatically generate a small part, and the entitlements related to applying for pci cannot be automatically added to the entitlements file.
Do I need to copy all the entitlements in the profile to the entitlements file? I copied part of the value here.
- dext
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.driverkit</key>
<true/>
<key>com.apple.developer.driverkit.allow-any-userclient-access</key>
<true/>
<key>com.apple.developer.driverkit.transport.pci</key>
<array>
<dict>
<key>IOPCIPrimaryMatch</key>
<string>0x000010EE&0x0000FFFF</string>
</dict>
</array>
<key>com.apple.developer.system-extension.redistributable</key>
<true/>
</dict>
</plist>
- installer
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
</dict>
</plist>
Provision profile (entitlements part)
- dext
<key>Entitlements</key>
<dict>
<key>com.apple.developer.driverkit</key>
<true/>
<key>application-identifier</key>
<string>5X63ZZ6MH3.com.wuhanjingce.driverkit.SmiPcie</string>
<key>com.apple.application-identifier</key>
<string>5X63ZZ6MH3.com.wuhanjingce.driverkit.SmiPcie</string>
<key>com.apple.developer.system-extension.redistributable</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>5X63ZZ6MH3.*</string>
</array>
<key>get-task-allow</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>5X63ZZ6MH3</string>
<key>com.apple.developer.driverkit.allow-any-userclient-access</key>
<true/>
<key>com.apple.developer.driverkit.transport.pci</key>
<array>
<dict>
<key>IOPCIPrimaryMatch</key>
<string>0x000010EE&0x0000FFFF</string>
</dict>
</array>
<key>com.apple.security.get-task-allow</key>
<true/>
</dict>
- installer
<key>Entitlements</key>
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.driverkit.allow-any-userclient-access</key>
<true/>
<key>com.apple.developer.driverkit</key>
<true/>
<key>com.apple.application-identifier</key>
<string>5X63ZZ6MH3.com.wuhanjingce.driverkit.SmiInstall</string>
<key>com.apple.developer.system-extension.redistributable</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>5X63ZZ6MH3.*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>5X63ZZ6MH3</string>
</dict>
I think this problem should have nothing to do with the dext installer, the problem lies in my dext itself.
I want to know, what exactly is the problem that causes the error provider entitlements check failed
According to PCIDriverKit Entitlement check failed (migrate KEXT to DEXT) tested and verified
Add some information needed by @pmdj
- ioreg -w0 -irc IOPCIDevice
+-o pcic1-bridge@0 <class IORegistryEntry:IOService:IOPCIDevice, id 0x10000060c, registered, matched, active, busy 0 (314 ms), retain 14>
| {
| "IOPCIExpressLinkCapabilities" = 7551233
| "vendor-id" = <6b100000>
| "class-code" = <00040600>
| "#msi-vectors" = <20000000>
| "pci-ignore-linkstatus" = <>
| "#size-cells" = <02000000>
| "IOName" = "pci-bridge"
| "function-dart_force_active" = <5300000074636146>
| "device-protection-granularity" = <d8120f4000010000>
| "msi-for-bridges" = <>
| "function-dart_self" = <53000000666c6553>
| "IOPCIHPType" = 49
| "pcidebug" = "0:0:0(1:128)"
| "Thunderbolt Path" = "IOService:/AppleARMPE/arm-io@10F00000/AppleT811xIO/acio1@1F00000/AppleThunderboltHALType5/AppleThunderboltNHIType5/IOThunderboltControllerType5/IOThunderboltPort@7/IOThunderboltSwitchType5/IOThunderboltPort@3"
| "IOPCIExpressLinkStatus" = 4113
| "pci-aspm-default" = 2
| "IOPCIExpressCapabilities" = 66
| "IOServiceDEXTEntitlements" = (("com.apple.developer.driverkit.transport.pci","com.apple.developer.driverkit.transport.pci.bridge"))
| "IOPCIConfigured" = Yes
| "IOInterruptControllers" = ("APCIECMSIController-apciec1")
| "IODTPersist" = 0
| "Thunderbolt Entry ID" = 4294968839
| "IOPCIResourced" = Yes
| "AAPL,slot-name" = <536c6f742d310000>
| "function-dart_release_sid" = <530000006c655253>
| "AAPL,phandle" = <52000000>
| "ranges" = <0000008200001000000000000000008200001000000000000000f03f00000000000000c20000004000000000000000c2000000400000000000000040000000000000008100000000000000000000008100000000000000000000000000000000>
| "name" = <"pcic1-bridge">
| "IOPowerManagement" = {"ChildrenPowerState"=2,"CurrentPowerState"=2,"CapabilityFlags"=258,"ChildProxyPowerState"=2,"MaxPowerState"=3}
| "default-apcie-options" = <01001080>
| "IOPCITunnelLinkChange" = <>
| "compatible" = <"pciec-bridge">
| "marvel-wa-viddids" = <4b1b20914b1b23914b1b28914b1b30914b1b72914b1b7a914b1b82914b1ba0914b1b20924b1b3092281c22017b1992230311450603114206340030084b1b35924b1b7191>
| "PCI-Thunderbolt" = <>
| "AppleEmbeddedPCIEPort" = "AppleT8103PCIeCPort is not serializable"
| "IOReportLegendPublic" = Yes
| "function-dart_request_sid" = <5300000071655253>
| "msi-vector-base" = <00000000>
| "IOPCIDeviceDeviceTreeEntry" = "IOService is not serializable"
| "reg" = <0000000000000000000000000000000000000000>
| "IOPCIOnline" = Yes
| "IOReportLegend" = ({"IOReportGroupName"="Interrupt Statistics (by index)","IOReportChannels"=((5291294645182005248,4295098369," First Level Interrupt Handler Count"),(5291294645182005249,4295098369," Second Level Interrupt Handler Count"),(5291294645182005250,4295098369," First Level Interrupt Handler Time (MATUs)"),(5291294645182005251,4295098369," Second Level Interrupt Handler CPU Time (MATUs)"),(5291294645182005252,4295098369,"Second Level Interrupt Handler System Time (MATUs)")),"IOReportChannelInfo"={"IOReportChannelUnit"=0},"IOReportSubGroupName"="pcic1-bridge 0"})
| "device-id" = <12100000>
| "#address-cells" = <03000000>
| "revision-id" = <00000000>
| "IOInterruptSpecifiers" = (<3104000000000100>)
| "IOPCIMSIMode" = Yes
| }
|
+-o IOPP <class IORegistryEntry:IOService:IOPCIBridge:IOPCI2PCIBridge:ApplePCIECHostBridge, id 0x10000061c, registered, matched, active, busy 0 (310 ms), retain 10>
+-o pci-bridge@0 <class IORegistryEntry:IOService:IOPCIDevice, id 0x10000232f, registered, matched, active, busy 0 (47 ms), retain 15>
| {
| "#address-cells" = <03000000>
| "class-code" = <00040600>
| "Tunnel Endpoint GUID" = <001580f023f34300>
| "IOPowerManagement" = {"ChildrenPowerState"=2,"CurrentPowerState"=2,"CapabilityFlags"=258,"ChildProxyPowerState"=2,"MaxPowerState"=3}
| "pci-aspm-default" = 3
| "IOPCIHPType" = 48
| "vendor-id" = <86800000>
| "name" = <"pci-bridge">
| "device-id" = <78150000>
| "IOChildIndex" = 1
| "IOPCIResourced" = Yes
| "IODTPersist" = 0
| "compatible" = <"pci8086,1578","pciclass,060400">
| "ranges" = <0000008200000004000000000000008200000004000000000000100400000000000000c20000004000000000000000c2000000400000000000000040000000000000008100000000000000000000008100000000000000000010000000000000>
| "IOPCIExpressLinkCapabilities" = 4545601
| "IOServiceDEXTEntitlements" = (("com.apple.developer.driverkit.transport.pci","com.apple.developer.driverkit.transport.pci.bridge"))
| "Thunderbolt Path" = "IOService:/AppleARMPE/arm-io@10F00000/AppleT811xIO/acio1@1F00000/AppleThunderboltHALType5/AppleThunderboltNHIType5/IOThunderboltControllerType5/IOThunderboltPort@7/IOThunderboltSwitchType5/IOThunderboltPort@1/IOThunderboltPort@1/IOThunderboltSwitchType3/IOThunderboltPort@6"
| "IOPCIConfigured" = Yes
| "Thunderbolt Entry ID" = 4294976280
| "Tunnel Endpoint Device Model ID" = <61660000>
| "Tunnel Endpoint Device Vendor ID" = <43000000>
| "revision-id" = <00000000>
| "IOPCIExpressLinkStatus" = 4161
| "IOPCIExpressCapabilities" = 82
| "pcidebug" = "1:0:0(2:128)"
| "IOName" = "pci-bridge"
| "#size-cells" = <02000000>
| "reg" = <0000010000000000000000000000000000000000>
| "IOPCITunnelL1Enable" = No
| }
|
+-o IOPP <class IORegistryEntry:IOService:IOPCIBridge:IOPCI2PCIBridge, id 0x100002334, registered, matched, active, busy 0 (33 ms), retain 12>
+-o pci-bridge@1 <class IORegistryEntry:IOService:IOPCIDevice, id 0x100002330, registered, matched, active, busy 0 (33 ms), retain 13>
| | {
| | "#address-cells" = <03000000>
| | "class-code" = <00040600>
| | "IOPCITunnelled" = Yes
| | "IOPCIExpressSlotStatus" = 328
| | "IOPowerManagement" = {"ChildrenPowerState"=2,"CurrentPowerState"=2,"CapabilityFlags"=258,"ChildProxyPowerState"=2,"MaxPowerState"=3}
| | "pci-aspm-default" = 3
| | "IOPCIHPType" = 48
| | "vendor-id" = <86800000>
| | "name" = <"pci-bridge">
| | "device-id" = <78150000>
| | "IOChildIndex" = 1
| | "IOPCIResourced" = Yes
| | "IODTPersist" = 0
| | "compatible" = <"pci8086,1578","pciclass,060400">
| | "ranges" = <0000008200000004000000000000008200000004000000000000100400000000000000c20000000000000000000000c2000000000000000000000000000000000000008100000000000000000000008100000000000000000000000000000000>
| | "IOPCIExpressLinkCapabilities" = 24206403
| | "IOServiceDEXTEntitlements" = (("com.apple.developer.driverkit.transport.pci","com.apple.developer.driverkit.transport.pci.bridge"))
| | "IOPCITunnelL1Enable" = No
| | "IOPCIConfigured" = Yes
| | "revision-id" = <00000000>
| | "IOPCIExpressLinkStatus" = 12354
| | "IOPCIExpressCapabilities" = 354
| | "pcidebug" = "2:1:0(3:3)"
| | "IOName" = "pci-bridge"
| | "#size-cells" = <02000000>
| | "reg" = <0008020000000000000000000000000000000000>
| | "IOPCIExpressSlotCapabilities" = 262144
| | }
| |
| +-o IOPP <class IORegistryEntry:IOService:IOPCIBridge:IOPCI2PCIBridge, id 0x100002338, registered, matched, active, busy 0 (27 ms), retain 10>
| +-o pci10ee,7028@0 <class IORegistryEntry:IOService:IOPCIDevice, id 0x100002332, registered, matched, active, busy 0 (27 ms), retain 15>
| | {
| | "assigned-addresses" = <10000382000000040000000000000004000000001800038200000008000000000000010000000000>
| | "IOPCITunnelRootDeviceVendorID" = <43000000>
| | "IOPCIDeviceMemoryMapSize" = 262144
| | "class-code" = <00800500>
| | "IOPCITunnelled" = Yes
| | "IODeviceMemory" = (({"address"=25836912640,"length"=67108864}),({"address"=25904021504,"length"=65536}))
| | "IOPowerManagement" = {"ChildrenPowerState"=2,"CurrentPowerState"=2,"CapabilityFlags"=258,"ChildProxyPowerState"=2,"MaxPowerState"=3}
| | "subsystem-vendor-id" = <ee100000>
| | "pci-aspm-default" = 1
| | "iommu-parent" = "IODARTMapper is not serializable"
| | "IOPCIDeviceMapperPageSize" = 16384
| | "IOPCIHPType" = 48
| | "vendor-id" = <ee100000>
| | "name" = <"pci10ee,7028">
| | "device-id" = <28700000>
| | "IOChildIndex" = 1
| | "IOPCIResourced" = Yes
| | "compatible" = <"pci10ee,7","pci10ee,7028","pciclass,058000">
| | "IODEXTMatchCount" = 1
| | "IOPCIExpressLinkCapabilities" = 259202
| | "IOServiceDEXTEntitlements" = (("com.apple.developer.driverkit.transport.pci"))
| | "IOPCITunnelL1Enable" = No
| | "subsystem-id" = <07000000>
| | "revision-id" = <00000000>
| | "IOPCIExpressLinkStatus" = 4162
| | "IOPCIExpressCapabilities" = 2
| | "pcidebug" = "3:0:0"
| | "IOName" = "pci10ee,7028"
| | "IOPCIDeviceMemoryMapBase" = 0
| | "reg" = <000003000000000000000000000000000000000010000302000000000000000000000004000000001800030200000000000000000000010000000000>
| | "IOPCITunnelRootDeviceModelID" = <61660000>
| | }
| |
| +-o SmiPcie <class IORegistryEntry:IOService:IOUserService, id 0x100002342, registered, matched, active, busy 0 (0 ms), retain 8>
+-o pci-bridge@4 <class IORegistryEntry:IOService:IOPCIDevice, id 0x100002331, registered, matched, active, busy 0 (5 ms), retain 13>
| {
| "IOPCIExpressLinkCapabilities" = 74538049
| "vendor-id" = <86800000>
| "class-code" = <00040600>
| "IOName" = "pci-bridge"
| "#size-cells" = <02000000>
| "IOPCITunnelled" = Yes
| "IOPCIExpressSlotCapabilities" = 2359392
| "IOPCIHPType" = 48
| "pcidebug" = "2:4:0(4:4)"
| "IOChildIndex" = 2
| "Thunderbolt Path" = "IOService:/AppleARMPE/arm-io@10F00000/AppleT811xIO/acio1@1F00000/AppleThunderboltHALType5/AppleThunderboltNHIType5/IOThunderboltControllerType5/IOThunderboltPort@7/IOThunderboltSwitchType5/IOThunderboltPort@1/IOThunderboltPort@1/IOThunderboltSwitchType3/IOThunderboltPort@7"
| "IOPCIExpressLinkStatus" = 4161
| "pci-aspm-default" = 3
| "IOPCIExpressCapabilities" = 354
| "IOServiceDEXTEntitlements" = (("com.apple.developer.driverkit.transport.pci","com.apple.developer.driverkit.transport.pci.bridge"))
| "IOPCIConfigured" = Yes
| "IOInterruptControllers" = ("ApplePCIECLegacyIntController-apciec1","APCIECMSIController-apciec1")
| "IODTPersist" = 0
| "Thunderbolt Entry ID" = 4294976281
| "IOPCIResourced" = Yes
| "IOPowerManagement" = {"ChildrenPowerState"=2,"CurrentPowerState"=2,"CapabilityFlags"=258,"ChildProxyPowerState"=2,"MaxPowerState"=3}
| "ranges" = <0000008200000000000000000000008200000000000000000000000000000000000000c20000000000000000000000c2000000000000000000000000000000000000008100000000000000000000008100000000000000000000000000000000>
| "name" = <"pci-bridge">
| "IOPCITunnelLinkChange" = Yes
| "compatible" = <"pci8086,1578","pciclass,060400">
| "IOReportLegendPublic" = Yes
| "IOPCIExpressSlotStatus" = 0
| "reg" = <0020020000000000000000000000000000000000>
| "IOReportLegend" = ({"IOReportGroupName"="Interrupt Statistics (by index)","IOReportChannels"=((5291294645182070784,4295098369," First Level Interrupt Handler Count"),(5291294645182070785,4295098369," Second Level Interrupt Handler Count"),(5291294645182070786,4295098369," First Level Interrupt Handler Time (MATUs)"),(5291294645182070787,4295098369," Second Level Interrupt Handler CPU Time (MATUs)"),(5291294645182070788,4295098369,"Second Level Interrupt Handler System Time (MATUs)")),"IOReportChannelInfo"={"IOReportChannelUnit"=0},"IOReportSubGroupName"="pci-bridge 1"})
| "device-id" = <78150000>
| "#address-cells" = <03000000>
| "revision-id" = <00000000>
| "IOInterruptSpecifiers" = (<0100000000000000>,<3204000000000100>)
| "IOPCIMSIMode" = Yes
| }
|
+-o IOPP <class IORegistryEntry:IOService:IOPCIBridge:IOPCI2PCIBridge, id 0x10000233c, registered, matched, active, busy 0 (0 ms), retain 8>
- Info.plist
<key>IOKitPersonalities</key>
<dict>
<key>SmiPcie</key>
<dict>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleIdentifierKernel</key>
<string>com.apple.kpi.iokit</string>
<key>IOClass</key>
<string>IOUserService</string>
<key>IOMatchCategory</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>IOProviderClass</key>
<string>IOPCIDevice</string>
<key>IOResourceMatch</key>
<string>IOKit</string>
<key>IOUserClass</key>
<string>SmiPcie</string>
<key>IOUserServerName</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>IOPCITunnelCompatible</key>
<true/>
<key>IOPCIPrimaryMatch</key>
<string>0x000010EE&0x0000FFFF</string>
<key>UserClientProperties</key>
<dict>
<key>IOClass</key>
<string>IOUserUserClient</string>
<key>IOUserClass</key>
<string>SmiPcieUc</string>
</dict>
</dict>
</dict>
No; Xcode will sometimes warn if the entitlements file doesn't contain one of the profile's entitlements, but this isn't in itself a problem, just warning you about a possible oversight.
"Provider entitlements check failed" means the dext does not satisfy the entitlements requirement posed by provider object's
IOServiceDEXTEntitlementsand family-specific requirements.For PCI, this means one of the dictionaries in the dext's
com.apple.developer.driverkit.transport.pcientitlement must match the provider object. (Unless the device is a PCI bridge, in which case there are extra requirements.)I can't see an obvious problem in what you've posted so far, but you haven't posted the match dictionary from your dext's Info.plist and the
ioregexcerpt for theIOPCIDeviceyou're trying to match, perhaps you could update your answer with those?