This repository contains scripts to build xnu as well as generate a kernel collection and CodeQL databases.
Version | Compiles | CodeQL | Boots (arm64/x86_64) |
---|---|---|---|
macOS 13.0 | ✅ | DB | ❔ / ❔ |
macOS 13.1 | ✅ | DB | ❔ / ❔ |
macOS 13.2 | ✅ | DB | ❔ / ❔ |
macOS 13.3 | ✅ | DB | ❔ / ❔ |
macOS 13.4 | ✅ | DB | ❔ / ❔ |
macOS 13.5 | ✅ | DB | ❔ / ❔ |
macOS 14.0 | ✅ | DB | ❔ / ❔ |
macOS 14.1 | ✅ | DB | ❔ / ❔ |
macOS 14.2 | ✅ | DB | ❔ / ❔ |
macOS 14.3 | ✅ | DB | ✅ / ✅ |
macOS 14.4 | ❌ | ❌ | ❌ / ❌ |
Note
CodeQL DBs built with MACHINE_CONFIG=VMAPPLE
MacOS 14.3
booted:
- via Virtualization.framework with
MACHINE_CONFIG=VMAPPLE
- via qemu with
ARCH_CONFIG=x86_64
- via ASi tested with
MACHINE_CONFIG=T8101
andMACHINE_CONFIG=T6000
Currently MACHINE_CONFIG=T8103
is not correctly building for at least 14.3
Note
When attempting to boot try adding the boot-arg: sudo nvram boot-args="-unsafe_kernel_text"
I'm hoping to patch and build the xnu source in interesting ways to aid in research and development of macOS/iOS security research tools as well as generate CodeQL databases for the community to use.
Note
The build.sh
script will install all these for you if you are connected to the internet.
git clone https://github.com/blacktop/darwin-xnu-build.git
cd darwin-xnu-build
❯ ./build.sh --help
Usage: build.sh [-h] [--clean] [--kc]
This script builds the macOS XNU kernel
Where:
-h|--help show this help text
-c|--clean cleans build artifacts and cloned repos
-k|--kc create kernel collection (via kmutil create)
KERNEL_CONFIG=RELEASE ARCH_CONFIG=ARM64 MACHINE_CONFIG=T6000 ./build.sh --kc
Note
Supported KERNEL_CONFIG
include:
RELEASE
DEVELOPMENT
Supported MACHINE_CONFIG
include:
T8101
T8103
T6000
VMAPPLE
<SNIP>
⇒ 📦 Building kernel collection for 'kernel.release.t6000'
• Decompressing KernelManagement kernelcache
Merged LINKEDIT:
weak bindings size: 0KB
exports info size: 0KB
bindings size: 0KB
lazy bindings size: 0KB
function starts size: 41KB
data in code size: 0KB
symbol table size: 3702KB (85348 exports, 87979 imports)
symbol string pool size: 6465KB
LINKEDITS optimized from 30MB to 10MB
time to layout cache: 0ms
time to copy cached dylibs into buffer: 1ms
time to adjust segments for new split locations: 2ms
time to bind all images: 8ms
time to optimize Objective-C: 0ms
time to do stub elimination: 0ms
time to optimize LINKEDITs: 2ms
time to compute slide info: 1ms
time to compute UUID and codesign cache file: 1ms
🎉 XNU Build Done!
Check that the output contains all the KEXTs
❯ ipsw macho info build/oss-xnu.kc | head
Magic = 64-bit MachO
Type = FILESET
CPU = AARCH64, ARM64e
Commands = 241 (Size: 17160)
Flags = None
000: LC_UUID 67DF7148-8EEC-B1A6-5F51-7502DADF2264
001: LC_BUILD_VERSION Platform: unknown, SDK: 0.0
002: LC_UNIXTHREAD Threads: 1, ARM64 EntryPoint: 0xfffffe0007ad1488
003: LC_DYLD_CHAINED_FIXUPS offset=0x003690000 size=0x444
004: LC_SEGMENT_64 sz=0x00008000 off=0x00000000-0x00008000 addr=0xfffffe0007004000-0xfffffe000700c000 r--/r-- __TEXT
<SNIP>
KERNEL_CONFIG=RELEASE ARCH_CONFIG=ARM64 MACHINE_CONFIG=T6000 ./build.sh --clean --kc
./codeql.sh
<SNIP>
[2023-03-03 22:33:20] [build-stdout] 🎉 XNU Build Done!
Finalizing database at darwin-xnu-build/xnu-codeql.
Running TRAP import for CodeQL database at darwin-xnu-build/xnu-codeql...
TRAP import complete (1m46s).
Successfully created database at darwin-xnu-build/xnu-codeql.
[info] Deleting log files...
[info] Zipping the CodeQL database...
🎉 CodeQL Database Create Done!
Script builds and zips up the CodeQL database
❯ ll xnu-codeql.zip
-rw-r--r--@ 1 blacktop staff 219M Mar 3 22:35 xnu-codeql.zip
Install deps: packer, tart and cirrus
make deps
Build VM image
make build-vm
Create CodeQL DB
make codeql-db
> Building CodeQL Database
🕓 'Build' Task 08:22
✅ pull virtual machine 0.0s
✅ 'Build' Task 47:59
🎉 Done! 🎉
🕒 'Build' Task 46:28
✅ 'Build' Task 48:15
❯ tree artifacts/
artifacts/
└── Build
└── binary
└── xnu-codeql.zip
3 directories, 1 file
-
Auto build xnu with Github Actions -
Auto generate CodeQL database with Github Actions
To see kernel logs
log show --debug --last boot --predicate 'process == "kernel"'