From the Apple open source page for Big Sur 11.2 (file
csr.h), the bit flags for SIP are as follows:
C:
/* CSR configuration flags */
#define CSR_ALLOW_UNTRUSTED_KEXTS (1 << 0)
#define CSR_ALLOW_UNRESTRICTED_FS (1 << 1)
#define CSR_ALLOW_TASK_FOR_PID (1 << 2)
#define CSR_ALLOW_KERNEL_DEBUGGER (1 << 3)
#define CSR_ALLOW_APPLE_INTERNAL (1 << 4)
#define CSR_ALLOW_DESTRUCTIVE_DTRACE (1 << 5) /* name deprecated */
#define CSR_ALLOW_UNRESTRICTED_DTRACE (1 << 5)
#define CSR_ALLOW_UNRESTRICTED_NVRAM (1 << 6)
#define CSR_ALLOW_DEVICE_CONFIGURATION (1 << 7)
#define CSR_ALLOW_ANY_RECOVERY_OS (1 << 8)
#define CSR_ALLOW_UNAPPROVED_KEXTS (1 << 9)
#define CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE (1 << 10)
#define CSR_ALLOW_UNAUTHENTICATED_ROOT (1 << 11)
The command
csrutil disable
properly disables SIP. It does so by setting the following flags:
C:
/* Flags set by `csrutil disable`. */
#define CSR_DISABLE_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \
CSR_ALLOW_UNRESTRICTED_FS | \
CSR_ALLOW_TASK_FOR_PID | \
CSR_ALLOW_KERNEL_DEBUGGER | \
CSR_ALLOW_APPLE_INTERNAL | \
CSR_ALLOW_UNRESTRICTED_DTRACE | \
CSR_ALLOW_UNRESTRICTED_NVRAM)
This equates to binary
0000 0000 0111 1111
or hex
0x007F
. In reverse byte order (needed for OpenCore) this is
7F00
. But two additional flags are always enforced:
C:
#define CSR_ALWAYS_ENFORCED_FLAGS (CSR_ALLOW_DEVICE_CONFIGURATION | CSR_ALLOW_ANY_RECOVERY_OS)
If we add the bit flags for these, the SIP value becomes binary
0000 0001 1111 1111
or hex
0x01FF
. In reverse byte order this is
FF01
.
But if we want to go beyond Apple's
csrutil disable
and disable
everything, then we can specify binary
0000 1111 1111 1111
or hex
0x0FFF
. In reverse byte order this is
FF0F
.
Now let's look at
67000000
. We ignore the last 4 bytes and examine only
6700
, which we know is in reverse byte order because we're getting this value from OpenCore
config.plist. Switching the bytes we get
0x0067
or binary
0000 0000 0110 0111
. We can decode this as follows:
C:
#define CSR_ALLOW_UNTRUSTED_KEXTS (1 << 0)
#define CSR_ALLOW_UNRESTRICTED_FS (1 << 1)
#define CSR_ALLOW_TASK_FOR_PID (1 << 2)
...
#define CSR_ALLOW_UNRESTRICTED_DTRACE (1 << 5)
#define CSR_ALLOW_UNRESTRICTED_NVRAM (1 << 6)
Happy now?
Bottom line: Do not worry about it. We've been running with SIP completely disabled for years.