1. Welcome to the Machine: Hardware
  2. Use the source, Luke: XNU architecture, startup, shutdown and panics
  3. E X T E N D: Kexts
  4. Some Assembly Required: Kernel Architectures
  5. Spitting Image: MacOS and *OS Boot images
  6. Alone in the Dark: Boot, Panic, and Shutdown
  7. BS"D - The BSD Layer
  8. Fee, FI-FO, File: File Systems and the VFS
  9. Space Oddity: APFS
  10. Tempus Fugit: Mach Scheduling
  11. Ceci n'est pas une "heap": Mach Virtual Memory
  12. Mixed Messages: Mach IPC
  13. All in the Family: I/O Kit
  14. (no witty name yet) The Networking Stack
 

Table of Contents


  1. About this Book
  2. Welcome to the Machine: Hardware
    • Mac Devices
    • i-Devices
    • Ports
    • i-Device Connectors
    • NVRAM
    • Configuration Data
    • The Device Tree
    • The Secure Enclave Processor

  3. Use the source, Luke: XNU architecture, startup, shutdown and panics
    • Sources
    • Compiling
    • Command line arguments
    • Debugging
    • Don't Panic
      • The Panic report
      • Kernel core dumps

  4. E X T E N D: Kexts
    • What's in a kext
      • The Info.plist
      • The Kext Mach-O
    • The Kernel Programming Interface (KPI)
      • The Official KPIs
      • Unsupported
      • MacFramework
      • Private
    • The KernelCache
      • Kernelcache structure
      • __PRELINK_INFO.__info
      • "1469" kernelcaches
    • Kext Loading: The user mode persepctive
      • Kext Security Requirements
      • Kext Code Signing
      • BridgeOS kext_audit (MacOS 14, T2)
      • kextd(8) (MacOS)
      • OSKext* APIs
      • Multikexts
    •  
    • Kext Loading: The kernel perspective
      • OSKext::load()
      • kxld
      • OSKext::start()
      • OSKext::stop()
      • Unloading a kext
    • Kext metadata management
      • The kmod_info
      • gLoadedKextSummaries
      • sLoadedKexts, sKextsById and the OSKext class
      • Kext Accounting

  5. Some Assembly Required: Kernel Architectures
    • Data structures
      • Linked lists & Queues (Mach)
      • Linked lists & Queues (BSD)
    • Concurrent Resource Access
      • Atmoic Operations
      • hwlocks
      • Spinlocks
      • Read-Write Locks
      • Mutex Locks
      • Lock Groups
      • Per-CPU data
    • Processor Execution Modes
      • Mode Traversal
      • Intel: SYSENTER
      • Intel: IDT
      • ARM exception vectors
    • Processor Level Exception Handling
    • Interrupt Handling
    • System Call Personalities
    • User Mode Considerations

  6. Spitting Image: MacOS and *OS Boot images
    • MacOS Installation Images
    • MacOS Updates
    • *OS Software Images (.ipsw)
    • *OS OTA Updates

  7. Alone in the Dark: Boot, Panic, and Shutdown
    • Macs: EFI
    • i-Devices: iBoot
      • common code
      • The boot ROM
      • iLLB
      • iBoot (2nd stage)
      • Threat modeling iBoot
    • T2 and later enabled Macs: iBoot + EFI
      • Secure Boot
      • SMC BIOS emulation
      • Storage encryption
      • Other T2 operational aspects
    • XNU boot flow
    • Kernel threads
    • Kernel Shutdown
  8.  

  9. BS"D: The BSD Layer
    • sysctl
    • BSD MALLOC Zones
    • Binary Formats
    • Processes
    • (U)Threads
    • File Descriptors
    • Character & Block Devices
    • The struct uio
    • DTrace

  10. Fee, FI-FO, File: File Systems and the VFS
    • VFS Concepts
      • Filesystems
      • Mounts
      • Vnodes
        • The ubc_info (V_REG vnodes)
    • Apple Extensions
      • Resource Forks
      • File Compression
      • Restricted (MacOS)
      • DataVault
      • Data Protection
      • FSEvents
      • Document IDs
      • Object IDs
      • Dist Mount Conditioning
      • Triggers (MacOS)
    • VFS KPIs
    • VFS SPIs
    • Case Study: FUSE
    • Case Study: NFS

  11. Space Oddity: APFS
    • A Bird's Eye View
      • File System Features
    • File System Internals
      • APFS Objects
      • APFS Object Structure
    • B-Trees
    • Containers
    • Volumes
    • The Space Manager
    • apfs.kext
  12.  

  13. Tempus Fugit: Mach Scheduling
    • Mach Tasks
    • Mach Threads
    • Mach Scheduling Enhancements
      • Handoff
      • Continuations
      • Asynchronous Software Traps (ASTs)
    • Mach Schedulers
      • The Run queue
      • Priorities
      • Load Average/Mach Factor
      • Scheduler Dispatch
      • Multicore Considerations
      • Darwin 17 additions
    • Deferred Calls
      • Timer calls
      • Thread calls
    • Wait Queues
    • Turnstiles (Darwin 18)
    • Ledgers
    • Selective Forced Idle (SFI)

  14. Ceci n'est pas une "heap": Mach Virtual Memory HUGE chapter, 60+ pages!
    • The Bird's Eye View
    • The vm_map layer
      • The struct _vm_map
      • vm_objects
      • vm_pages
      • vm_map_enter and friends
      • Allocating memory
      • vm_map_copy
        • VM_MAP_COPY_ENTRY_LIST
        • VM_MAP_COPY_OBJECT
        • VM_MAP_COPY_KERNEL_BUFFER
      • Copying/Moving memory
    • The pmap Layer
      • Page Tables
        • WIMG
        • Intel
        • ARM
        • ARM Page Protection Layer (iOS 12+, A12+)
    • Pagers
      • The Apple protect pager
      • The compressor pager
      • The fourk pager (Darwin 18, ARM64)
      • The shared region pager (Darwin 18)
    • Kernel Memory Allocation
      • kmem_alloc() and friends
        • kernel_memory_allocate()
        • kmem_suballoc()
        • kmem_realloc()
      • kalloc
        • kalloc.### Zones
        • The kalloc DLUT
        • The slow path
    • The Zone Allocator
      • Zone Management
      • Zone Metadata Region
      • Zone Metadata
      • Garbage Collection
      • The Guard Mode Zone Allocator (MacOS)
      • The Zone Cache (Darwin 18)
    • Memorystatus (MacOS)/Jetsam (*OS)
    • The big picture: Kernel Memory Layout

  15. Mixed Messages: Mach IPC
    • The High Level View
    • The ipc_space_t
    • The ipc_port_t
      • Port Lifecycle
        • Port Allocation
        • Rights and Names
        • Port Deallocation
        • Reference Counting
        • Handling Messages
    • Revisiting mach_msg
      • Sending Mach Messages
      • Receiving Mach Messages
    • Message Descriptors
      • Port Right Descriptors
      • Port Set Descriptors
      • OOL Memory Descriptors
    • Vouchers
      • High Level View
      • API
      • Implementation
    • Multinode
  16.  
     
  17. All in the Family: I/O Kit
    • A High Level View of IOKit
    • The IORegistry
      • User Mode APIs
      • Iterators
      • Matching Dictionaries
      • Notifications
    • Interlude: Libkern Base Classes
      • OSObject
      • OSMetaClass[Base]
        • APIs
        • Meta Class Definition
        • DefaultStructors
        • Members, methods and the Fragile Base Class problem
      • Data Objects
      • Serialization
        • XML Serialization
        • Binary Serialization
    • IOKit Base Classes
      • IORegistryEntry
      • IOService
      • ...
    • IOKit Families
    • IOKit Kernel Extensions
    • The Driver Lifecycle
    • IOWorkLoops
    • IOUserClients

  18. (No witty name yet): The Networking Stack
    • Layer V: The struct sock
    • Control Sockets
    • Layer IV: Transport Protocols
      • struct mbuf
      • domains and protosws
      • Initializing domains
    • Layer III: Network Protocols
      • The proto_input_entry
      • Protocol KPI functions
    • Layer II: Interfaces
      • The Data Link Interface Layer (DLIL)
      • The struct ifnet
    • Stacking it up
      • Receiving Data
      • Sending Data
    • Packet Filtering
      • Socket Filters
      • pf
      • socket filters
      • IP Filters
      • Inteface Filters
      • BPF