How do I disable SIP (System Integrity Protection)?

[Hervé]

Back in 2015 , when Apple introduced SIP protection in El Capitan, I quickly had a look at the SIP settings and associated CsrActiveConfig 8bit values in Enoch:

nibble:    4   3   2   1   |   4   3   2   1
bits:      -   -   -   -   |   -   -   -   -
           |   |   |   |       |   |   |   |
           |   |   |   |       |   |   |   |
           |   |   |   |       |   |   |   |
          /    |   |   |       |   |   |    \
Dev. Prot.    /    |   |       |   |    \    Kext Sig.
  NVRAM Prot.     /    |       |    \    FS Prot.
     DTrace Prot.     /         \    Task Prot.
           Apple Int.            Kernel Debug.

Source: csr.h (in bsd/sys folder) of 10.11's published XNU source code at https://opensource.apple.com/

 

On the basis/assumption that Apple Internal & Device Configuration could be kept disabled by default (bit set to 0), CsrActiveConfig could be set to:

• 00000011 in binary, i.e. 0x03 (3 in decimal) to disable kext signing and filesystem protection
• 01100011 or 01101111 in binary, i.e. 0x63 or 0x6F (103 or 111 in decimal) to disable all protections that mattered

If I booted Enoch in verbose mode with CsrActiveConfig=103 (i.e. 0x63), the displayed info showed:

System Integrity Protection status: enabled (Custom Configuration).

Configuration:
Apple Internal: disabled
Kext Signing: disabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
NVRAM Protections: disabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

 

In the current days of Clover, most people still use CsrActiveConfig 0x63 and that's fine. But there are also more rootless flags to control SIP than there used to be in El Capitan:

nible:               #3        |         #2        |         #1     
nibble bits:   4   3   2   1   |   4   3   2   1   |   4   3   2   1
bits:         12  11  10   9   |   8   7   6   5   |   4   3   2   1
               -   -   -   -       -   -   -   -       -   -   -   -
             N/A   |   |   |       |   |   |   |       |   |   |   |
                   |   |   |       |   |   |   |       |   |   |   |
                   |   |   |       |   |   |   |       |   |   |   |
                   /   |   |       |   |   |   |       |   |   |   |
       Policy Over.    /   |       |   |   |   |       |   |   |   |
              Kext app.    /       |   |   |   |       |   |   |   |
                  Recov. OS        /   |   |   |       |   |   |   \
                     Device Config.    /   |   |       |   |   \    Kext Sig.
                            NVRAM Prot.    /   |       |    \   FS Prot.
                               DTrace Rest.    /       \     Task for PID
                                     Apple Int.         Kernel Debug.

where:
Bit #12 = N/A

Bit #11 = Allow executable policy override

Bit #10 = Allow unapproved kexts

Bit #9 = Allow any recovery OS

Bit #8 = Allow device configuration

Bit #7 = Allow unrestricted NVRAM

Bit #6 = Allow unrestricted DTrace

Bit #5 = Allow Apple internal

Bit #4 = Allow kernel debugger

Bit #3 = Allow task for PID

Bit #2 = Allow unrestricted FileSystem

Bit #1 = Allow untrusted kexts

 

Source: csr.h (in bsd/sys folder) of 10.14.1's published XNU source code at https://opensource.apple.com/

 

Whilst the original CsrActiveConfig of 0x03 or 0x63 remains valid by far and large to most hackintoshers, some folks may also want to allow unapproved kexts on top of unsigned kexts. Keeping the same flags as for CsrActiveConfig 0x63 alongside, this would lead to a new value of 0010 0110 0011, i.e. 0x263 or 611 in decimal.