Skip to content

Glossary

kernelcache

A prelinked image bundling XNU plus every kext required for boot into a single signed file iBoot can load in one read.

A kernelcache is a prelinked kernel image: XNU plus every kext marked as required for boot, link-edited together into a single signed file iBoot can load in one I/O.

Without a kernelcache, iBoot would have to read and link each kext individually at boot, which would slow boot to a crawl on a system with many drivers.

Building the kernelcache is the job of kmutil (formerly kextcache), which runs:

  • At OS install — to assemble the initial kernelcache that ships.
  • After approving a third-party kext — the user-approved kext is included in a rebuilt kernelcache, which becomes the boot image after a reboot.
  • On certain system updates — when XNU or its required kexts change.

The kernelcache contains:

  • XNU itself.
  • All boot-time kexts: the file-system kext (APFS), HID drivers, KDP, the platform expert.
  • The merkle root hash of the Sealed System Volume — the kernel verifies the read-only system volume against this once it can read disk.

This architecture is why third-party kexts have so much install friction: changing them requires rebuilding the kernelcache, which requires Reduced Security mode, user approval in recoveryOS, and a reboot — by design.

See also: iBoot, kext, the boot sequence article.