How can I manage kexts in High Sierra and later via CLI?

Introduction

The preferred way for accepting 3rd party kernel extensions (kexts) is to hit the "Allow" button that comes up in the "Security & Privacy" PrefPane, typically during software install. However sometimes this method doesn't work properly, and manual intervention must take place.

Setting:

Boot into a recovery OS (hold Cmd+r while booting), open Terminal, and run a command like one of the following

For HyperFS:

spctl kext-consent add JS776ETM39

For ATTO (both software and drivers):

spctl kext-consent add FC94733TZD

Querying:

While still in the recovery terminal , you can check that the kext IDs have properly loaded with:

spctl kext-consent list

Which should give output similar to this:

afx01:~ digital08$ spctl kext-consent list
Allowed Team Identifiers:
JS776ETM39
FC94733TZD
afx01:~ digital08$

Alternatively, from a working system, you can get a list of approved kext IDs at runtime:

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

Once withing the sql prompt, run this query:

SELECT * FROM kext_policy;

This will give an ourput similar to this:

sqlite> SELECT * FROM kext_policy;
FC94733TZD|com.attotech.driver.ATTOiSCSI|1|ATTO Technology, Inc.|5
FC94733TZD|com.ATTO.driver.ATTOThunderLinkNC2|1|ATTO Technology, Inc.|5
JS776ETM39|cn.com.bwstor.filesystems.enfs|1|Tianjin Zhongke Blue Whale Information Technologies Co., Ltd.|1
JS776ETM39|cn.com.bwstor.driver.blkvt|1|Tianjin Zhongke Blue Whale Information Technologies Co., Ltd.|1
76PTYDYVW4|com.sns.driver.SnsiSCSI|1|Studio Network Solutions|1
76PTYDYVW4|com.sns.driver.Xtarget|1|Studio Network Solutions|1
76PTYDYVW4|com.sns.driver.SNSArchitectureModel|1|Studio Network Solutions|1
FC94733TZD|com.ATTO.driver.ATTOThunderLinkNC|1|ATTO Technology, Inc.|1
sqlite>

You can now leave the sql prompt with something like exit or hitting Ctrl+d

Matthew Jensen
2019-08-14 12:19