Administrators Hervé Posted May 24, 2019 Administrators Share Posted May 24, 2019 Back in 2015 , when Apple introduced SIP protection in El Capitan, I quickly had a look at the SIP settings and associated CsrActiveConfig 8bit values in Enoch: nibble: 4 3 2 1 | 4 3 2 1 bits: - - - - | - - - - | | | | | | | | | | | | | | | | | | | | | | | | / | | | | | | \ Dev. Prot. / | | | | \ Kext Sig. NVRAM Prot. / | | \ FS Prot. DTrace Prot. / \ Task Prot. Apple Int. Kernel Debug. Source: csr.h (in bsd/sys folder) of 10.11's published XNU source code at https://opensource.apple.com/ On the basis/assumption that Apple Internal & Device Configuration could be kept disabled by default (bit set to 0), CsrActiveConfig could be set to: 00000011 in binary, i.e. 0x03 (3 in decimal) to disable kext signing and filesystem protection 01100011 or 01101111 in binary, i.e. 0x63 or 0x6F (103 or 111 in decimal) to disable all protections that mattered If I booted Enoch in verbose mode with CsrActiveConfig=103 (i.e. 0x63), the displayed info showed: System Integrity Protection status: enabled (Custom Configuration). Configuration: Apple Internal: disabled Kext Signing: disabled Filesystem Protections: disabled Debugging Restrictions: disabled DTrace Restrictions: disabled NVRAM Protections: disabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state. In the current days of Clover, most people still use CsrActiveConfig 0x63 and that's fine. But there are also more rootless flags to control SIP than there used to be in El Capitan: nible: #3 | #2 | #1 nibble bits: 4 3 2 1 | 4 3 2 1 | 4 3 2 1 bits: 12 11 10 9 | 8 7 6 5 | 4 3 2 1 - - - - - - - - - - - - N/A | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | / | | | | | | | | | | Policy Over. / | | | | | | | | | Kext app. / | | | | | | | | Recov. OS / | | | | | | \ Device Config. / | | | | \ Kext Sig. NVRAM Prot. / | | \ FS Prot. DTrace Rest. / \ Task for PID Apple Int. Kernel Debug. where: Bit #12 = N/A Bit #11 = Allow executable policy override Bit #10 = Allow unapproved kexts Bit #9 = Allow any recovery OS Bit #8 = Allow device configuration Bit #7 = Allow unrestricted NVRAM Bit #6 = Allow unrestricted DTrace Bit #5 = Allow Apple internal Bit #4 = Allow kernel debugger Bit #3 = Allow task for PID Bit #2 = Allow unrestricted FileSystem Bit #1 = Allow untrusted kexts Source: csr.h (in bsd/sys folder) of 10.14.1's published XNU source code at https://opensource.apple.com/ Whilst the original CsrActiveConfig of 0x03 or 0x63 remains valid by far and large to most hackintoshers, some folks may also want to allow unapproved kexts on top of unsigned kexts. Keeping the same flags as for CsrActiveConfig 0x63 alongside, this would lead to a new value of 0010 0110 0011, i.e. 0x263 or 611 in decimal. 1 Link to comment Share on other sites More sharing options...
Recommended Posts