Jump to content

How do I disable SIP (System Integrity Protection)?


Hervé

Recommended Posts

  • Administrators

Back in 2015 , when Apple introduced SIP protection in El Capitan, I quickly had a look at the SIP settings and associated CsrActiveConfig 8bit values in Enoch:

nibble:    4   3   2   1   |   4   3   2   1
bits:      -   -   -   -   |   -   -   -   -
           |   |   |   |       |   |   |   |
           |   |   |   |       |   |   |   |
           |   |   |   |       |   |   |   |
          /    |   |   |       |   |   |    \
Dev. Prot.    /    |   |       |   |    \    Kext Sig.
  NVRAM Prot.     /    |       |    \    FS Prot.
     DTrace Prot.     /         \    Task Prot.
           Apple Int.            Kernel Debug.

 

Source: csr.h (in bsd/sys folder) of 10.11's published XNU source code at https://opensource.apple.com/

 

On the basis/assumption that Apple Internal & Device Configuration could be kept disabled by default (bit set to 0), CsrActiveConfig could be set to:

  • 0000 0011 in binary, i.e. 0x03 (3 in decimal) to disable kext signing and filesystem protection
  • 0110 0011 or 0110 1111 in binary, i.e. 0x63 or 0x6F (103 or 111 in decimal) to disable all protections that mattered


If I booted Enoch in verbose mode with CsrActiveConfig=103 (i.e. 0x63), the displayed info showed:

System Integrity Protection status: enabled (Custom Configuration).

Configuration:
Apple Internal: disabled
Kext Signing: disabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
NVRAM Protections: disabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

 

At time of writing, in the days of Clover and Catalina, most people still use CsrActiveConfig 0x63 and that's fine. But there are also more flags to control SIP than there used to be in El Capitan:

  • Sierra added a 9th flag for Any Recovery OS
  • High Sierra added a 10th flag for Unapproved Kexts
  • Mojave added an 11th flag for Executable Policy Override

 

SIP is therefore arranged as follows:

nibble:              #3        |         #2        |         #1     
nibble bits:   4   3   2   1   |   4   3   2   1   |   4   3   2   1
bits:         12  11  10   9   |   8   7   6   5   |   4   3   2   1
               -   -   -   -       -   -   -   -       -   -   -   -
             N/A   |   |   |       |   |   |   |       |   |   |   |
                   |   |   |       |   |   |   |       |   |   |   |
                   |   |   |       |   |   |   |       |   |   |   |
                   /   |   |       |   |   |   |       |   |   |   |
       Policy Over.    /   |       |   |   |   |       |   |   |   |
              Kext App.    /       |   |   |   |       |   |   |   |
                  Recov. OS        /   |   |   |       |   |   |   \
                     Device Config.    /   |   |       |   |   \    Kext Sig.
                            NVRAM Prot.    /   |       |    \   FS Prot.
                               DTrace Rest.    /       \     Task for PID
                                     Apple Int.         Kernel Debug.

where:

Bit #1 = Allow untrusted kexts

Bit #2 = Allow unrestricted FileSystem

Bit #3 = Allow task for PID

Bit #4 = Allow kernel debugger

Bit #5 = Allow Apple internal

Bit #6 = Allow unrestricted DTrace

Bit #7 = Allow unrestricted NVRAM

Bit #8 = Allow device configuration

Bit #9 = Allow any recovery OS

Bit #10 = Allow unapproved kexts

Bit #11 = Allow executable policy override

Bit #12 = N/A

 

Source: csr.h (in bsd/sys folder) of Mojave 10.14's published XNU source code at https://opensource.apple.com/

 

Whilst the original CsrActiveConfig of 0x03 or 0x63 remains valid by far and large to most hackintoshers, some folks may also want to allow unapproved kexts on top of unsigned kexts. Keeping the same flags as for CsrActiveConfig 0x63 alongside, this would lead to a new value of 0010 0110 0011, i.e. 0x263 or 611 in decimal.

 

  • Like 1
Link to comment
Share on other sites

  • Administrators

A little update further to recent discussions at InsanelyMac on the matter of SIP and macOS updates not being offered in Big Sur.

 

1st of all, it should be pointed out that Big Sur introduced a new 12th flag for unauthenticated root updating SIP as follows:

nibble:              #3        |         #2        |         #1     
nibble bits:   4   3   2   1   |   4   3   2   1   |   4   3   2   1
bits:         12  11  10   9   |   8   7   6   5   |   4   3   2   1
               -   -   -   -       -   -   -   -       -   -   -   -
               |   |   |   |       |   |   |   |       |   |   |   |
               |   |   |   |       |   |   |   |       |   |   |   |
               /   |   |   |       |   |   |   |       |   |   |   |
   Unauth. Root    /   |   |       |   |   |   |       |   |   |   |
       Policy Over.    /   |       |   |   |   |       |   |   |   |
              Kext app.    /       |   |   |   |       |   |   |   |
                  Recov. OS        /   |   |   |       |   |   |   \
                     Device Config.    /   |   |       |   |   \    Kext Sig.
                            NVRAM Prot.    /   |       |    \   FS Prot.
                               DTrace Rest.    /       \     Task for PID
                                     Apple Int.         Kernel Debug.

where:
Bit #1 = Allow untrusted kexts

Bit #2 = Allow unrestricted FileSystem

Bit #3 = Allow task for PID

Bit #4 = Allow kernel debugger

Bit #5 = Allow Apple internal

Bit #6 = Allow unrestricted DTrace

Bit #7 = Allow unrestricted NVRAM

Bit #8 = Allow device configuration

Bit #9 = Allow any recovery OS

Bit #10 = Allow unapproved kexts

Bit #11 = Allow executable policy override

Bit #12 = Allow unauthenticated root

 

Source: csr.h (in bsd/sys folder) of Big Sur 11's published XNU source code at https://opensource.apple.com/

 

Initially, back in the days of El Capitan, disabling SIP was mostly required to load add-on kexts, especially when these were cached. With Big Sur, this is not really required with add-on kexts being injected from Clover and/or OpenCore and SIP can usually remain enabled with no particular side effects/impacts.

 

For those who still want to disable SIP -for instance if booting Big Sur with Clover and using cached kexts- it's important not to set all flags to 1 as this blocks/prevents Big Sur updates from being offered to the Hackintosh. This is typically what happens to people who use csr-active-config 0xFFF as recommended in Dortania's OpenCore documentation. Such a value results in the following SIP status:

admin@E6230 ~ % nvram -p | grep csr
csr-active-config %ff%0f%00%00
admin@E6230 ~ %
admin@E6230 ~ % csrutil status     
System Integrity Protection status: unknown (Custom Configuration).

Configuration:
Apple Internal: enabled
Kext Signing: disabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
NVRAM Protections: disabled
BaseSystem Verification: disabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

 

However, Apple Internal flag needs to be kept disabled (i.e. bit #5 unset) for Big Sur updates to be offered. Alternative csr-active-config values such as 0x67 / 0x267 / 0x867 / 0xA67 / 0xFEF are therefore recommended instead of 0xFFF. Example with 0xFEF:

admin@E6230 ~ % nvram -p | grep csr
csr-active-config	%ef%0f%00%00
admin@E6230 ~ % 
admin@E6230 ~ % csrutil status     
System Integrity Protection status: unknown (Custom Configuration).

Configuration:
Apple Internal: disabled
Kext Signing: disabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
NVRAM Protections: disabled
BaseSystem Verification: disabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...