Administrators Hervé Posted May 24, 2019 Administrators Share Posted May 24, 2019 Back in 2015 , when Apple introduced SIP protection in El Capitan, I quickly had a look at the SIP settings and associated CsrActiveConfig 8bit values in Enoch: nibble: 4 3 2 1 | 4 3 2 1 bits: - - - - | - - - - | | | | | | | | | | | | | | | | | | | | | | | | / | | | | | | \ Dev. Prot. / | | | | \ Kext Sig. NVRAM Prot. / | | \ FS Prot. DTrace Prot. / \ Task Prot. Apple Int. Kernel Debug. Source: csr.h (in bsd/sys folder) of 10.11's published XNU source code at https://opensource.apple.com/ On the basis/assumption that Apple Internal & Device Configuration could be kept disabled by default (bit set to 0), CsrActiveConfig could be set to: 0000 0011 in binary, i.e. 0x03 (3 in decimal) to disable kext signing and filesystem protection 0110 0011 or 0110 1111 in binary, i.e. 0x63 or 0x6F (103 or 111 in decimal) to disable all protections that mattered If I booted Enoch in verbose mode with CsrActiveConfig=103 (i.e. 0x63), the displayed info showed: System Integrity Protection status: enabled (Custom Configuration). Configuration: Apple Internal: disabled Kext Signing: disabled Filesystem Protections: disabled Debugging Restrictions: disabled DTrace Restrictions: disabled NVRAM Protections: disabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state. At time of writing, in the days of Clover and Catalina, most people still use CsrActiveConfig 0x63 and that's fine. But there are also more flags to control SIP than there used to be in El Capitan: Sierra added a 9th flag for Any Recovery OS High Sierra added a 10th flag for Unapproved Kexts Mojave added an 11th flag for Executable Policy Override SIP is therefore arranged as follows: nibble: #3 | #2 | #1 nibble bits: 4 3 2 1 | 4 3 2 1 | 4 3 2 1 bits: 12 11 10 9 | 8 7 6 5 | 4 3 2 1 - - - - - - - - - - - - N/A | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | / | | | | | | | | | | Policy Over. / | | | | | | | | | Kext App. / | | | | | | | | Recov. OS / | | | | | | \ Device Config. / | | | | \ Kext Sig. NVRAM Prot. / | | \ FS Prot. DTrace Rest. / \ Task for PID Apple Int. Kernel Debug. where: Bit #1 = Allow untrusted kexts Bit #2 = Allow unrestricted FileSystem Bit #3 = Allow task for PID Bit #4 = Allow kernel debugger Bit #5 = Allow Apple internal Bit #6 = Allow unrestricted DTrace Bit #7 = Allow unrestricted NVRAM Bit #8 = Allow device configuration Bit #9 = Allow any recovery OS Bit #10 = Allow unapproved kexts Bit #11 = Allow executable policy override Bit #12 = N/A Source: csr.h (in bsd/sys folder) of Mojave 10.14's published XNU source code at https://opensource.apple.com/ Whilst the original CsrActiveConfig of 0x03 or 0x63 remains valid by far and large to most hackintoshers, some folks may also want to allow unapproved kexts on top of unsigned kexts. Keeping the same flags as for CsrActiveConfig 0x63 alongside, this would lead to a new value of 0010 0110 0011, i.e. 0x263 or 611 in decimal. 1 Link to comment Share on other sites More sharing options...
Administrators Hervé Posted March 16, 2021 Author Administrators Share Posted March 16, 2021 A little update further to recent discussions at InsanelyMac on the matter of SIP and macOS updates not being offered in Big Sur. 1st of all, it should be pointed out that Big Sur introduced a new 12th flag for unauthenticated root updating SIP as follows: nibble: #3 | #2 | #1 nibble bits: 4 3 2 1 | 4 3 2 1 | 4 3 2 1 bits: 12 11 10 9 | 8 7 6 5 | 4 3 2 1 - - - - - - - - - - - - | | | | | | | | | | | | | | | | | | | | | | | | / | | | | | | | | | | | Unauth. Root / | | | | | | | | | | Policy Over. / | | | | | | | | | Kext app. / | | | | | | | | Recov. OS / | | | | | | \ Device Config. / | | | | \ Kext Sig. NVRAM Prot. / | | \ FS Prot. DTrace Rest. / \ Task for PID Apple Int. Kernel Debug. where: Bit #1 = Allow untrusted kexts Bit #2 = Allow unrestricted FileSystem Bit #3 = Allow task for PID Bit #4 = Allow kernel debugger Bit #5 = Allow Apple internal Bit #6 = Allow unrestricted DTrace Bit #7 = Allow unrestricted NVRAM Bit #8 = Allow device configuration Bit #9 = Allow any recovery OS Bit #10 = Allow unapproved kexts Bit #11 = Allow executable policy override Bit #12 = Allow unauthenticated root Source: csr.h (in bsd/sys folder) of Big Sur 11's published XNU source code at https://opensource.apple.com/ Initially, back in the days of El Capitan, disabling SIP was mostly required to load add-on kexts, especially when these were cached. With Big Sur, this is not really required with add-on kexts being injected from Clover and/or OpenCore and SIP can usually remain enabled with no particular side effects/impacts. For those who still want to disable SIP -for instance if booting Big Sur with Clover and using cached kexts- it's important not to set all flags to 1 as this blocks/prevents Big Sur updates from being offered to the Hackintosh. This is typically what happens to people who use csr-active-config 0xFFF as recommended in Dortania's OpenCore documentation. Such a value results in the following SIP status: admin@E6230 ~ % nvram -p | grep csr csr-active-config %ff%0f%00%00 admin@E6230 ~ % admin@E6230 ~ % csrutil status System Integrity Protection status: unknown (Custom Configuration). Configuration: Apple Internal: enabled Kext Signing: disabled Filesystem Protections: disabled Debugging Restrictions: disabled DTrace Restrictions: disabled NVRAM Protections: disabled BaseSystem Verification: disabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state. However, Apple Internal flag needs to be kept disabled (i.e. bit #5 unset) for Big Sur updates to be offered. Alternative csr-active-config values such as 0x67 / 0x267 / 0x867 / 0xA67 / 0xFEF are therefore recommended instead of 0xFFF. Example with 0xFEF: admin@E6230 ~ % nvram -p | grep csr csr-active-config %ef%0f%00%00 admin@E6230 ~ % admin@E6230 ~ % csrutil status System Integrity Protection status: unknown (Custom Configuration). Configuration: Apple Internal: disabled Kext Signing: disabled Filesystem Protections: disabled Debugging Restrictions: disabled DTrace Restrictions: disabled NVRAM Protections: disabled BaseSystem Verification: disabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state. Link to comment Share on other sites More sharing options...
Recommended Posts