Contribute
Register

Big Sur and disabling SIP

Joined
Oct 30, 2018
Messages
282
Motherboard
GIGABYTE Z370 AORUS Gaming 7
CPU
i7-8700K
Graphics
RX 5700XT
Mac
  1. iMac
  2. MacBook
  3. MacBook Pro
  4. Mac mini
  5. Mac Pro
Classic Mac
  1. eMac
  2. iMac
  3. Performa
  4. Power Mac
Mobile Phone
  1. iOS
I was trying to do something that Apple doesn't like... I went to disable SIP by the terminal and got a message saying that the command has to be executed from RECOVERY mode.

Is there a way around this? Even on my AppleActuals, this would be a major PitA.
 

jaymonkey

Moderator
Joined
Aug 27, 2011
Messages
3,994
Motherboard
GB Z490 Vision G
CPU
i9 10850K OC @ 5.2 GHz
Graphics
Vega 64 LC + HD 630
Mac
  1. MacBook Air
  2. MacBook Pro
  3. Mac Pro
Mobile Phone
  1. iOS
I went to disable SIP by the terminal and got a message saying that the command has to be executed from RECOVERY mode .... Is there a way around this? Even on my AppleActuals, this would be a major PitA.

@HackinMax,

The offical Apple way of disabling SIP is to boot into recovery, run terminal and use the CSRUTIL command to enable or disable SIP. It is not possible to alter SIP whilst MacOS is actualy running as many of the underling SIP enabling and disbaling procedures need to be done whilst MacOS is booting.

This has been true for previous versions of MacOS ..... not just Big Sur.

On Hackintosh systems we generraly do not recomend using the CSRUTIL command to disable SIP, instead we can set the NVRAM varables BooterConfig and CsrActiveConfig directly (which is all the CSRUTIL command really does) via Clover or Open Core.

Cheers
Jay
 
Last edited:
Joined
Oct 30, 2018
Messages
282
Motherboard
GIGABYTE Z370 AORUS Gaming 7
CPU
i7-8700K
Graphics
RX 5700XT
Mac
  1. iMac
  2. MacBook
  3. MacBook Pro
  4. Mac mini
  5. Mac Pro
Classic Mac
  1. eMac
  2. iMac
  3. Performa
  4. Power Mac
Mobile Phone
  1. iOS
@HackinMax,

The offical Apple way of disabling SIP is to boot into recovery, run terminal and use the CSRUTIL command to enable or disable SIP. It is not possible to alter SIP whilst MacOS is actualy running as many of the underling SIP enabling and disbaling procedures need to be done whilst MacOS is booting.

This has been true for previous versions of MacOS ..... not just Big Sur.

On Hackintosh systems we generraly do not recomend using the CSRUTIL command to disable SIP, instead we can set the NVRAM varables BooterConfig and CsrActiveConfig directly (which is all the CSRUTIL command really does) via Clover or Open Core.

Cheers
Jay
Thanks for the sanity check.
Disabling sip from the terminal allows me to avoid the 'Unknown Developer' block. The terminal solution has always worked well. but, I get that there could be complications.
I've never booted into recovery to disable/re-enable csr-utils. So, this was news to me.

I see varying opinions on permanently disabling sip. But, I have one system that I will now need to run with disabled sip. I can't keep booting in and out of recovery to install and run the apps I need.

Ironically, this is also a problem on my (actual)MacPro production machine. I am assuming that SIP will be automatically re-enabled after subsequent reboots. Such is the tyranny of security.
 

jaymonkey

Moderator
Joined
Aug 27, 2011
Messages
3,994
Motherboard
GB Z490 Vision G
CPU
i9 10850K OC @ 5.2 GHz
Graphics
Vega 64 LC + HD 630
Mac
  1. MacBook Air
  2. MacBook Pro
  3. Mac Pro
Mobile Phone
  1. iOS
I have one system that I will now need to run with disabled sip. I can't keep booting in and out of recovery to install and run the apps I need.

Ironically, this is also a problem on my (actual)MacPro production machine. I am assuming that SIP will be automatically re-enabled after subsequent reboots. Such is the tyranny of security.

@HackinMax,

If you disable SIP using the offical Apple method on a real Mac then it will remain disabled until it is re-enabled. The method is used by many Mac Devlopers that need to run alpha or beta software that is unsigned.

As previsuly stated for Hackintosh systems it's best to configure the NVRAM varable CsrActiveConfig to disable SIP. The advantge of this method is that you can choose how much you disable SIP by appling a bit mask to CsrActiveConfig.

If you use Clover you can dynamical manually overide SIP directly from the settings menu :-

Clover-SIP.png


For MacOS Catalina and below we generally recomend setting CsrActiveConfig to 0x67
Which allows the following SIP restrictions :-
  • CSR_ALLOW_UNTRUSTED_KEXTS
  • CSR_ALLOW_UNRESTRICTED_FS
  • CSR_ALLOW_TASK_FOR_PID
  • CSR_ALLOW_UNRESTRICTED_DTRACE
  • CSR_ALLOW_UNRESTRICTED_NVRAM
For Big Sur and beyond the new recomend value for CsrActiveConfig is 0x3E7
Which allows the following SIP restrictions :-
  • CSR_ALLOW_UNTRUSTED_KEXTS
  • CSR_ALLOW_UNRESTRICTED_FS
  • CSR_ALLOW_TASK_FOR_PID
  • CSR_ALLOW_UNRESTRICTED_DTRACE
  • CSR_ALLOW_UNRESTRICTED_NVRAM
  • CSR_ALLOW_DEVICE_CONFIGURATION
  • CSR_ALLOW_ANY_RECOVERY_OS
  • CSR_ALLOW_UNAPPROVED_KEXTS
You can look at the the bit mask values for yourself by looking at csr.h in the Apple source code repositry although its been a while since Apple released fresh open souce code for MacOS hene the code in that link is somewaht out of date but it gives you an idea of how the mask works.

There are plenty of resources on-line if you want to research SIP further.

Cheers
Jay
 
Last edited:
Joined
Oct 10, 2015
Messages
921
Motherboard
Z370 AORUS Gaming 3
CPU
i5-9600K
Graphics
RX 580
Mac
  1. MacBook
  2. MacBook Pro
Mobile Phone
  1. iOS
From my personal experiences, disabling SIP in Recovery may work or may not work on different machines.
 

jaymonkey

Moderator
Joined
Aug 27, 2011
Messages
3,994
Motherboard
GB Z490 Vision G
CPU
i9 10850K OC @ 5.2 GHz
Graphics
Vega 64 LC + HD 630
Mac
  1. MacBook Air
  2. MacBook Pro
  3. Mac Pro
Mobile Phone
  1. iOS
From my personal experiences, disabling SIP in Recovery may work or may not work on different machines.

@Bustycat,

Its mostly dependant on how well your system deals with NVRAM.

CsrActiveConfig is a protected NVRAM varable meaning that it can only be altered by using the offical Apple method (via Recovery and the CsrUtil terminal command) on genuine Macs or by NVRAM injection via the bootloader (Clover or OpenCore) on Hackintosh systems.

You can not set CsrActiveConfig via a basic NVRAM terminal command ...

I tend to always recomend using the BootLoader method on Hacks ... however emaulted NVRAM could potentialy have problems with it ... although i'm not 100% sure as all my Hacks are configured to use Native NVRAM .. not emulated.

Cheers
Jay
 
Joined
Jan 30, 2018
Messages
9
Motherboard
Asus TUF B460M Plus
CPU
i9-10850K
Graphics
Intel > Need version # > See Rules!
Mac
  1. Mac Pro
my hackintosh stays on SIP mode UNKNOWN, and don´t go to any other state, NO enebled or disabled... how can i fix it please, any help? I´m on OSX 11.5.1 and updates are not showing up and there is a app that is giving me a system error because that UNKNOW SIP state. THanks for any help.

System Integrity Protection status: unknown (Custom Configuration).

Configuration:
Apple Internal: enabled
Kext Signing: disabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
NVRAM Protections: disabled
BaseSystem Verification: disabled

TUF B460M Plus
i9-10850K
 
Last edited:
Top