...
Re the 'csr-active-config' changes - in layman's terms what am I actually doing? Enabling/disable System Integrity Protection? Is running with 67000000 leaving me exposed in any way?
...
From the Apple open source page for Big Sur 11.2 (file
csr.h), the bit flags for SIP are as follows:
C:
/* CSR configuration flags */
#define CSR_ALLOW_UNTRUSTED_KEXTS (1 << 0)
#define CSR_ALLOW_UNRESTRICTED_FS (1 << 1)
#define CSR_ALLOW_TASK_FOR_PID (1 << 2)
#define CSR_ALLOW_KERNEL_DEBUGGER (1 << 3)
#define CSR_ALLOW_APPLE_INTERNAL (1 << 4)
#define CSR_ALLOW_DESTRUCTIVE_DTRACE (1 << 5) /* name deprecated */
#define CSR_ALLOW_UNRESTRICTED_DTRACE (1 << 5)
#define CSR_ALLOW_UNRESTRICTED_NVRAM (1 << 6)
#define CSR_ALLOW_DEVICE_CONFIGURATION (1 << 7)
#define CSR_ALLOW_ANY_RECOVERY_OS (1 << 8)
#define CSR_ALLOW_UNAPPROVED_KEXTS (1 << 9)
#define CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE (1 << 10)
#define CSR_ALLOW_UNAUTHENTICATED_ROOT (1 << 11)
The operations (1 << x) mean start with binary 1 and shift it to the left x times. Therefore, if we use a single 8-bit byte we get:
- 1 << 0 = 0000 0001 (decimal 1, hex 0x01)
- 1 << 1 = 0000 0010 (decimal 2, hex 0x02)
- 1 << 2 = 0000 0100 (decimal 4, hex 0x04)
- 1 << 3 = 0000 1000 (decimal 8, hex 0x08)
- 1 << 4 = 0001 0000 (decimal 16, hex 0x10)
- 1 << 5 = 0010 0000 (decimal 32, hex 0x20)
These are simply powers of 2, or 2 raised to the power x.
The command
csrutil disable
properly disables SIP. It does so by setting the following flags:
C:
/* Flags set by `csrutil disable`. */
#define CSR_DISABLE_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \
CSR_ALLOW_UNRESTRICTED_FS | \
CSR_ALLOW_TASK_FOR_PID | \
CSR_ALLOW_KERNEL_DEBUGGER | \
CSR_ALLOW_APPLE_INTERNAL | \
CSR_ALLOW_UNRESTRICTED_DTRACE | \
CSR_ALLOW_UNRESTRICTED_NVRAM)
This equates to binary
0000 0000 0111 1111
or hex
0x007F
. In reverse byte order (needed for OpenCore) this is
7F00
. But two additional flags are always enforced:
C:
#define CSR_ALWAYS_ENFORCED_FLAGS (CSR_ALLOW_DEVICE_CONFIGURATION | CSR_ALLOW_ANY_RECOVERY_OS)
If we add the bit flags for these, the SIP value becomes binary
0000 0001 1111 1111
or hex
0x01FF
. In reverse byte order this is
FF01
.
But if we want to go beyond Apple's
csrutil disable
and disable
everything, then we can specify binary
0000 1111 1111 1111
or hex
0x0FFF
. In reverse byte order this is
FF0F
.
Now let's look at
67000000
. We ignore the last 4 bytes and examine only
6700
, which we know is in reverse byte order because we're getting this value from OpenCore
config.plist. Switching the bytes we get
0x0067
or binary
0000 0000 0110 0111
. We can decode this as follows:
C:
#define CSR_ALLOW_UNTRUSTED_KEXTS (1 << 0)
#define CSR_ALLOW_UNRESTRICTED_FS (1 << 1)
#define CSR_ALLOW_TASK_FOR_PID (1 << 2)
...
#define CSR_ALLOW_UNRESTRICTED_DTRACE (1 << 5)
#define CSR_ALLOW_UNRESTRICTED_NVRAM (1 << 6)
Happy now?
Bottom line: Do not worry about it. We've been running with SIP completely disabled for years.