- Joined
- Nov 17, 2009
- Messages
- 7,367
- Motherboard
- Z370N WIFI
- CPU
- i7 8700K
- Graphics
- HD 630
- Mac
- Classic Mac
- Mobile Phone
Over the past few OS X releases, Apple has tightened system security. They have gradually begun to bring OS X in line with iOS in terms of locking down certain areas of the system to the user.
In OS X El Capitan Apple has implemented ‘rootless’ security or System Integrity Protection (SIP). This locks down system folders and files against hacks and root attacks, thus keeping the system safer. As good as this is for security, it has made things much harder for the hackintosh community, requiring workarounds for established methods of installation and maintenance for generic PCs. It has become necessary to make drastic changes in order to modify current tools to inject unsigned kexts and alter system kexts. These changes are in testing and yet to be completed for the legacy bootloaders Chameleon/Chimera and the EFI bootloader Clover.
Starting with OS X 10.10 Yosemite, in order to load unsigned kexts the user had to pass the boot flag kext-dev-mode=1. As of OS X 10.11 El Capitan, that option is not available anymore.
Early OS X 10.11 El Capitan betas contained a new boot flag to disable rootless security called rootless=0. This has been removed in recent beta builds, and replaced with NVRAM csr-active-config. This provides much finer grained control over SIP, allowing the user to toggle the new rootless security options on and off either completely or partially. OS X also contains a new application on the Recovery Partition to enable or disable SIP.
A good rule of thumb is when rebuilding kernel cache on a hackintosh, SIP must be disabled. SIP must be disabled in order to install anything to protected system folders. SIP can also be disabled partially, to allow unsigned kexts in cache and install to protected folders.
We will likely eventually recommend that SIP be disabled from the beginning of the installation through post-installation process. After everything is set, and the user is successfully booting, SIP can be re-enabled.
As of today, the only bootloader that will inject kexts into protected cache and adjust SIP settings on the fly is Clover v3259 or later. Clover can set csr-active-config with config.plist/RtVariables/CsrActiveConfig and config.plist/RtVariables/BooterConfig=0x28.
Relevant user options for SIP are as follows:
csr-active-config 0x0 = SIP Enabled (Default)
csr-active-config 0x3 = SIP Partially Disabled (Loads unsigned kexts)
csr-active-config 0x67 = SIP Disabled completely
Clover config.plist:
As far as system protection goes, this is all new. OS X hasn’t had this level of system security before, and at this point it seems as if users can simply take it or leave it at their own risk. As Rehabman wisely said, “The sky will not fall if you disable SIP… it is equivalent to the security scenario we’ve been using on hacks for a long time.”
We expect that by the official launch of OS X El Capitan, bootloaders will be fixed and methods will be solidified. Guides and complete solutions should be available even for the most novice of users. For now, we've updated our El Capitan Public Beta USB installation guide with config.plist examples that will work with the latest Public Betas.
http://www.tonymacx86.com/el-capita...ublic-beta-installation-usb-using-clover.html
Special Thanks to toleda and RehabMan for their contributions to this report. Credit to Piker Alpha for his amazing in depth explanations on his blog.
Sources:
Official WWDC Video
https://developer.apple.com/videos/wwdc/2015/?id=706
https://pikeralpha.wordpress.com/2015/07/28/apples-kext-signing-bypassed/
http://sourceforge.net/projects/cloverefiboot/
In OS X El Capitan Apple has implemented ‘rootless’ security or System Integrity Protection (SIP). This locks down system folders and files against hacks and root attacks, thus keeping the system safer. As good as this is for security, it has made things much harder for the hackintosh community, requiring workarounds for established methods of installation and maintenance for generic PCs. It has become necessary to make drastic changes in order to modify current tools to inject unsigned kexts and alter system kexts. These changes are in testing and yet to be completed for the legacy bootloaders Chameleon/Chimera and the EFI bootloader Clover.
Starting with OS X 10.10 Yosemite, in order to load unsigned kexts the user had to pass the boot flag kext-dev-mode=1. As of OS X 10.11 El Capitan, that option is not available anymore.
Early OS X 10.11 El Capitan betas contained a new boot flag to disable rootless security called rootless=0. This has been removed in recent beta builds, and replaced with NVRAM csr-active-config. This provides much finer grained control over SIP, allowing the user to toggle the new rootless security options on and off either completely or partially. OS X also contains a new application on the Recovery Partition to enable or disable SIP.
A good rule of thumb is when rebuilding kernel cache on a hackintosh, SIP must be disabled. SIP must be disabled in order to install anything to protected system folders. SIP can also be disabled partially, to allow unsigned kexts in cache and install to protected folders.
We will likely eventually recommend that SIP be disabled from the beginning of the installation through post-installation process. After everything is set, and the user is successfully booting, SIP can be re-enabled.
As of today, the only bootloader that will inject kexts into protected cache and adjust SIP settings on the fly is Clover v3259 or later. Clover can set csr-active-config with config.plist/RtVariables/CsrActiveConfig and config.plist/RtVariables/BooterConfig=0x28.
Relevant user options for SIP are as follows:
csr-active-config 0x0 = SIP Enabled (Default)
csr-active-config 0x3 = SIP Partially Disabled (Loads unsigned kexts)
csr-active-config 0x67 = SIP Disabled completely
Clover config.plist:
Code:
<key>RtVariables</key>
<dict>
<key>CsrActiveConfig</key>
<string>0x3</string>
<key>BooterConfig</key>
<string>0x28</string>
</dict>
As far as system protection goes, this is all new. OS X hasn’t had this level of system security before, and at this point it seems as if users can simply take it or leave it at their own risk. As Rehabman wisely said, “The sky will not fall if you disable SIP… it is equivalent to the security scenario we’ve been using on hacks for a long time.”
We expect that by the official launch of OS X El Capitan, bootloaders will be fixed and methods will be solidified. Guides and complete solutions should be available even for the most novice of users. For now, we've updated our El Capitan Public Beta USB installation guide with config.plist examples that will work with the latest Public Betas.
http://www.tonymacx86.com/el-capita...ublic-beta-installation-usb-using-clover.html
Special Thanks to toleda and RehabMan for their contributions to this report. Credit to Piker Alpha for his amazing in depth explanations on his blog.
Sources:
Official WWDC Video
https://developer.apple.com/videos/wwdc/2015/?id=706
https://pikeralpha.wordpress.com/2015/07/28/apples-kext-signing-bypassed/
http://sourceforge.net/projects/cloverefiboot/