- Welcome to the Machine: Hardware
- Use the source, Luke: XNU architecture, startup, shutdown and panics
- E X T E N D: Kexts
- Some Assembly Required: Kernel Architectures
- Spitting Image: MacOS and *OS Boot images
- Alone in the Dark: Boot, Panic, and Shutdown
- BS"D - The BSD Layer
- Fee, FI-FO, File: File Systems and the VFS
- Space Oddity: APFS
- Tempus Fugit: Mach Scheduling
- Ceci n'est pas une "heap": Mach Virtual Memory
- Mixed Messages: Mach IPC
- All in the Family: I/O Kit
- (no witty name yet) The Networking Stack
Table of Contents
- About this Book
- Welcome to the Machine: Hardware
- Mac Devices
- i-Devices
- Ports
- i-Device Connectors
- NVRAM
- Configuration Data
- The Device Tree
- The Secure Enclave Processor
- Use the source, Luke: XNU architecture, startup, shutdown and panics
- Sources
- Compiling
- Command line arguments
- Debugging
- Don't Panic
- The Panic report
- Kernel core dumps
- E X T E N D: Kexts
- What's in a kext
- The Info.plist
- The Kext Mach-O
- The Kernel Programming Interface (KPI)
- The Official KPIs
- Unsupported
- MacFramework
- Private
- The KernelCache
- Kernelcache structure
__PRELINK_INFO.__info- "1469" kernelcaches
- Kext Loading: The user mode persepctive
- Kext Security Requirements
- Kext Code Signing
- BridgeOS kext_audit (MacOS 14, T2)
- kextd(8) (MacOS)
- OSKext* APIs
- Multikexts
- Kext Loading: The kernel perspective
OSKext::load()- kxld
OSKext::start()OSKext::stop()- Unloading a kext
- Kext metadata management
- The
kmod_info
gLoadedKextSummariessLoadedKexts, sKextsById and the OSKext class- Kext Accounting
- Some Assembly Required: Kernel Architectures
- Data structures
- Linked lists & Queues (Mach)
- Linked lists & Queues (BSD)
- Concurrent Resource Access
- Atmoic Operations
- hwlocks
- Spinlocks
- Read-Write Locks
- Mutex Locks
- Lock Groups
- Per-CPU data
- Processor Execution Modes
- Mode Traversal
- Intel: SYSENTER
- Intel: IDT
- ARM exception vectors
- Processor Level Exception Handling
- Interrupt Handling
- System Call Personalities
- User Mode Considerations
- Spitting Image: MacOS and *OS Boot images
- MacOS Installation Images
- MacOS Updates
- *OS Software Images (.ipsw)
- *OS OTA Updates
- Alone in the Dark: Boot, Panic, and Shutdown
- Macs: EFI
- i-Devices: iBoot
- common code
- The boot ROM
- iLLB
- iBoot (2nd stage)
- Threat modeling iBoot
- T2 and later enabled Macs: iBoot + EFI
- Secure Boot
- SMC BIOS emulation
- Storage encryption
- Other T2 operational aspects
- XNU boot flow
- Kernel threads
- Kernel Shutdown
- BS"D: The BSD Layer
sysctl- BSD MALLOC Zones
- Binary Formats
- Processes
- (U)Threads
- File Descriptors
- Character & Block Devices
- The
struct uio
- DTrace
- Fee, FI-FO, File: File Systems and the VFS
- VFS Concepts
- Filesystems
- Mounts
- Vnodes
- The
ubc_info (V_REG vnodes)
- Apple Extensions
- Resource Forks
- File Compression
- Restricted (MacOS)
- DataVault
- Data Protection
- FSEvents
- Document IDs
- Object IDs
- Dist Mount Conditioning
- Triggers (MacOS)
- VFS KPIs
- VFS SPIs
- Case Study: FUSE
- Case Study: NFS
- Space Oddity: APFS
- A Bird's Eye View
- File System Internals
- APFS Objects
- APFS Object Structure
- B-Trees
- Containers
- Volumes
- The Space Manager
- apfs.kext
- Tempus Fugit: Mach Scheduling
- Mach Tasks
- Mach Threads
- Mach Scheduling Enhancements
- Handoff
- Continuations
- Asynchronous Software Traps (ASTs)
- Mach Schedulers
- The Run queue
- Priorities
- Load Average/Mach Factor
- Scheduler Dispatch
- Multicore Considerations
- Darwin 17 additions
- Deferred Calls
- Wait Queues
- Turnstiles (Darwin 18)
- Ledgers
- Selective Forced Idle (SFI)
- Ceci n'est pas une "heap": Mach Virtual Memory HUGE chapter, 60+ pages!
- The Bird's Eye View
- The
vm_map layer
- The
struct _vm_map
vm_objectsvm_pagesvm_map_enter and friends- Allocating memory
vm_map_copy
VM_MAP_COPY_ENTRY_LISTVM_MAP_COPY_OBJECTVM_MAP_COPY_KERNEL_BUFFER
- Copying/Moving memory
- The
pmap Layer
- Page Tables
- WIMG
- Intel
- ARM
- ARM Page Protection Layer (iOS 12+, A12+)
- Pagers
- The Apple protect pager
- The compressor pager
- The fourk pager (Darwin 18, ARM64)
- The shared region pager (Darwin 18)
- Kernel Memory Allocation
kmem_alloc() and friends
kernel_memory_allocate()kmem_suballoc()kmem_realloc()
kalloc
- kalloc.### Zones
- The kalloc DLUT
- The slow path
- The Zone Allocator
- Zone Management
- Zone Metadata Region
- Zone Metadata
- Garbage Collection
- The Guard Mode Zone Allocator (MacOS)
- The Zone Cache (Darwin 18)
- Memorystatus (MacOS)/Jetsam (*OS)
- The big picture: Kernel Memory Layout
- Mixed Messages: Mach IPC
- The High Level View
- The
ipc_space_t
- The
ipc_port_t
- Port Lifecycle
- Port Allocation
- Rights and Names
- Port Deallocation
- Reference Counting
- Handling Messages
- Revisiting
mach_msg
- Sending Mach Messages
- Receiving Mach Messages
- Message Descriptors
- Port Right Descriptors
- Port Set Descriptors
- OOL Memory Descriptors
- Vouchers
- High Level View
- API
- Implementation
- Multinode
- All in the Family: I/O Kit
- A High Level View of IOKit
- The IORegistry
- User Mode APIs
- Iterators
- Matching Dictionaries
- Notifications
- Interlude: Libkern Base Classes
- OSObject
- OSMetaClass[Base]
- APIs
- Meta Class Definition
- DefaultStructors
- Members, methods and the Fragile Base Class problem
- Data Objects
- Serialization
- XML Serialization
- Binary Serialization
- IOKit Base Classes
- IORegistryEntry
- IOService
- ...
- IOKit Families
- IOKit Kernel Extensions
- The Driver Lifecycle
- IOWorkLoops
- IOUserClients
- (No witty name yet): The Networking Stack
- Layer V: The struct sock
- Control Sockets
- Layer IV: Transport Protocols
struct mbufdomains and protosws- Initializing domains
- Layer III: Network Protocols
- The
proto_input_entry
- Protocol KPI functions
- Layer II: Interfaces
- The Data Link Interface Layer (DLIL)
- The
struct ifnet
- Stacking it up
- Receiving Data
- Sending Data
- Packet Filtering
- Socket Filters
pf- socket filters
- IP Filters
- Inteface Filters
- BPF