Contribute
Register

Explaining OS X El Capitan Security Changes - Workarounds and Current Information

Joined
Oct 23, 2014
Messages
730
Motherboard
Gigabyte GA-Z97x-UD3H
CPU
i7 4790k
Graphics
RX 580
Mac
iMac, MacBook Pro
Mobile Phone
iOS
Kexts that are injected (from EFI/Clover/kexts) are never cached. Only kexts installed to /S/L/E or /L/E are placed in the cache (and even then, only the kexts that are needed by your system).
After restoring via Time Machine, the ethernet card would display in the Network Panel but not work (always in Red status). Only after I rebuilt the caches, the ethernet card would work (in Green status). And the driver of the ethernet card (AppleIntelE1000e.kext) was placed under /EFI/CLOVER/kexts. How to explain this phenomena?

Tom
 

RehabMan

Moderator
Joined
May 3, 2012
Messages
191,134
Motherboard
Intel DH67BL
CPU
Core i7-2600K
Graphics
Intel HD 3000
Mac
MacBook Air
Mobile Phone
iOS
After restoring via Time Machine, the ethernet card would display in the Network Panel but not work (always in Red status). Only after I rebuilt the caches, the ethernet card would work (in Green status). And the driver of the ethernet card (AppleIntelE1000e.kext) was placed under /EFI/CLOVER/kexts. How to explain this phenomena?

Tom
Ethernet kexts, such as AppleIntelE1000e.kext, have a dependency... IONetworkingFamily.kext.

So... it only works when IONetworkingFamily.kext is in the cache. Rebuilding cache puts IONetworkingFamily.kext into the cache, not AppleIntelE1000e.kext. Kexts that are injected are never placed in cache (unless they also exist in /S/L/E, of course).

You can also use ForceKextsToLoad to force IONetworkingFamily.kext to load. I use this so it works at installation/recovery, for example.
 
Joined
Oct 23, 2014
Messages
730
Motherboard
Gigabyte GA-Z97x-UD3H
CPU
i7 4790k
Graphics
RX 580
Mac
iMac, MacBook Pro
Mobile Phone
iOS
Ethernet kexts, such as AppleIntelE1000e.kext, have a dependency... IONetworkingFamily.kext.

So... it only works when IONetworkingFamily.kext is in the cache. Rebuilding cache puts IONetworkingFamily.kext into the cache, not AppleIntelE1000e.kext. Kexts that are injected are never placed in cache (unless they also exist in /S/L/E, of course).

You can also use ForceKextsToLoad to force IONetworkingFamily.kext to load. I use this so it works at installation/recovery, for example.
Nice explanation, @RehabMan

Much appreciated.

Tom
 
Joined
Jun 10, 2011
Messages
322
Motherboard
Gigabyte Z370 Aorus Ultra Gaming 2.0
CPU
i7 8700K
Graphics
2x RX580
Mac
MacBook Pro
Mobile Phone
iOS
Kexts that are injected (from EFI/Clover/kexts) are never cached. Only kexts installed to /S/L/E or /L/E are placed in the cache (and even then, only the kexts that are needed by your system).
Good to know, but I would like to ask you what happens with patched kexts (via Clover). For example, AppleHDA.kext lives in S/L/E, so it is cached. What would happen if I patch AppleHDA? Should I rebuild caches? When? How?

I'm on PB5 with SIP disabled completely. Thanks for all the info!
 

RehabMan

Moderator
Joined
May 3, 2012
Messages
191,134
Motherboard
Intel DH67BL
CPU
Core i7-2600K
Graphics
Intel HD 3000
Mac
MacBook Air
Mobile Phone
iOS
Good to know, but I would like to ask you what happens with patched kexts (via Clover). For example, AppleHDA.kext lives in S/L/E, so it is cached. What would happen if I patch AppleHDA? Should I rebuild caches? When? How?

I'm on PB5 with SIP disabled completely. Thanks for all the info!
Patches via config.plist patch the kext that is in cache when Clover loads the cache from disk.
 
Joined
May 13, 2015
Messages
12
Motherboard
H97N
CPU
I7-4790
Graphics
GT-740SC
Mac
MacBook Air, MacBook Pro, Mac mini
Classic Mac
Mobile Phone
iOS
This was just posted on reddit, I wonder if true and what the hex values are:

That half-assed configuration panel used in previous El Capitan recovery systems is no more.
Yeah, I was also nervous for a moment when I found this out. Nothing to worry about though: Those looking to disable System Integrity Protection may do so via the csrutil command line utility in recovery mode:
csrutil disable
To compliment its new role, csrutil now offers a higher level of customization; Individual aspects to System Integrity Protection may now be enabled or disabled individually:
csrutil enable \
--without kext \
--without fs \
--without debug \
--without dtrace \
--without nvram
If you would like to prevent the modification of your boot parameters, for example, but without the filesystem lockdown getting in your way, this would now possible like so:
csrutil enable --without fs
Anyway, spread the word, and enjoy!
 
Joined
May 13, 2015
Messages
12
Motherboard
H97N
CPU
I7-4790
Graphics
GT-740SC
Mac
MacBook Air, MacBook Pro, Mac mini
Classic Mac
Mobile Phone
iOS
I am on PB5 also and setting to enable will not allow me to boot. The progress bar goes all the way over and stays there for evernity. However setting to x3 goes to login in about 15 seconds from starting it. However bluetooth takes about 30 minutes to initialize.
 
Joined
May 2, 2013
Messages
76
Motherboard
HP ProBook 4540s- F.60-Clover
CPU
i3-3110M
Graphics
HD4000, 1920x1080
Mac
MacBook Pro
Mobile Phone
iOS
Can I update current Yosemite to El Capitan.
 
Top