Jump to content
10 posts in this topic

Recommended Posts

For some reason I'm unable to approve third party kexts in system preferences. I unlock, hit the "Details..." button, and the whole list is checked, and greyed out. Hitting 'OK' prompts me to restart, but upon restarting the kexts still aren't loaded.

Attempting to force them to load with `sudo kmutil load -p` returns an error `Error Domain=KMErrorDomain Code=27 "Extension with identifiers [...kext identifiers...] not approved to load. Please approve using System Preferences."`
I've tried adding the team identifiers for the kexts in question in recovery mode via `spctl kext-consent add [TeamID]`, which returned no errors, and yet still these kexts are not loading. 

I'm really not sure what's happening here. I'm running Big Sur 11.4 on OpenCore 0.6.9. I'm assuming this is somehow SIP related, but I would love any insight on this.

Screen Shot 2023-06-12 at 4.27.54 PM.png

Screen Shot 2023-06-12 at 4.28.02 PM.png

On 6/13/2023 at 3:07 AM, Mechanica said:

For some reason I'm unable to approve third party kexts in system preferences. I unlock, hit the "Details..." button, and the whole list is checked, and greyed out. Hitting 'OK' prompts me to restart, but upon restarting the kexts still aren't loaded.

Attempting to force them to load with `sudo kmutil load -p` returns an error `Error Domain=KMErrorDomain Code=27 "Extension with identifiers [...kext identifiers...] not approved to load. Please approve using System Preferences."`
I've tried adding the team identifiers for the kexts in question in recovery mode via `spctl kext-consent add [TeamID]`, which returned no errors, and yet still these kexts are not loading. 

I'm really not sure what's happening here. I'm running Big Sur 11.4 on OpenCore 0.6.9. I'm assuming this is somehow SIP related, but I would love any insight on this.

Try disabling SIP and boot into macOS and check if you can Allow the kexts to be loaded.

you can try by using OpenCore settings:

https://dortania.github.io/OpenCore-Install-Guide/troubleshooting/extended/post-issues.html#disabling-sip

 

Oe use the recovery partition method:

https://macmeup.com/what-is-sip/

  • Like 1
  • 2 weeks later...

Sorry for the late reply.
So, I think SIP is already disabled, to the best of my knowledge.
csrstat reports: 

Current Configuration:
	Apple Internal			0 (disabled)	[--no-internal]		CSR_ALLOW_APPLE_INTERNAL
	Kext Signing			1 (disabled)	[--without kext]	CSR_ALLOW_UNTRUSTED_KEXTS
	Debugging Restrictions		1 (disabled)	[--without debug]	CSR_ALLOW_TASK_FOR_PID
	Filesystem Protections		1 (disabled)	[--without fs]		CSR_ALLOW_UNRESTRICTED_FS
	Kernel Debugging Restrictions	1 (disabled)	<n/a>			CSR_ALLOW_KERNEL_DEBUGGER
	DTrace Restrictions		1 (disabled)	[--without dtrace]	CSR_ALLOW_UNRESTRICTED_DTRACE
	NVRAM Protections		1 (disabled)	[--without nvram]	CSR_ALLOW_UNRESTRICTED_NVRAM
	Device Configuration		1 (enabled)	<n/a>			CSR_ALLOW_DEVICE_CONFIGURATION
	BaseSystem Verification		1 (disabled)	[--without basesystem]	CSR_ALLOW_ANY_RECOVERY_OS
	Unapproved Kexts Restrictions	1 (disabled)	<n/a>			CSR_ALLOW_UNAPPROVED_KEXTS
	Executable Policy		1 (disabled)	<n/a>			CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE

So SIP is disabled save for `Device Configuration` as far as I can tell. Thoughts on this?

On 6/26/2023 at 3:28 AM, Mechanica said:

Sorry for the late reply.
So, I think SIP is already disabled, to the best of my knowledge.
csrstat reports: 

Current Configuration:
	Apple Internal			0 (disabled)	[--no-internal]		CSR_ALLOW_APPLE_INTERNAL
	Kext Signing			1 (disabled)	[--without kext]	CSR_ALLOW_UNTRUSTED_KEXTS
	Debugging Restrictions		1 (disabled)	[--without debug]	CSR_ALLOW_TASK_FOR_PID
	Filesystem Protections		1 (disabled)	[--without fs]		CSR_ALLOW_UNRESTRICTED_FS
	Kernel Debugging Restrictions	1 (disabled)	<n/a>			CSR_ALLOW_KERNEL_DEBUGGER
	DTrace Restrictions		1 (disabled)	[--without dtrace]	CSR_ALLOW_UNRESTRICTED_DTRACE
	NVRAM Protections		1 (disabled)	[--without nvram]	CSR_ALLOW_UNRESTRICTED_NVRAM
	Device Configuration		1 (enabled)	<n/a>			CSR_ALLOW_DEVICE_CONFIGURATION
	BaseSystem Verification		1 (disabled)	[--without basesystem]	CSR_ALLOW_ANY_RECOVERY_OS
	Unapproved Kexts Restrictions	1 (disabled)	<n/a>			CSR_ALLOW_UNAPPROVED_KEXTS
	Executable Policy		1 (disabled)	<n/a>			CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE

So SIP is disabled save for `Device Configuration` as far as I can tell. Thoughts on this?

My best csr status is

Configuration:
	Apple Internal: disabled
	Kext Signing: disabled
	Filesystem Protections: enabled
	Debugging Restrictions: disabled
	DTrace Restrictions: enabled
	NVRAM Protections: enabled
	BaseSystem Verification: enabled

But I prefer digits

nvram csr-active-config
csr-active-config %85%0a%00%00

 

  • Like 2
  • 1 month later...

Can someone point me to a comprehensive overview of how csr flags actually work? The is csrstat readout is confusing. What is `1 (disabled)` vs `1 (enabled)` mean for a given flag? Is a value of `1` enabled, or disabled, or it means something else entirely? If a flag `ALLOW_[etc]` is `enabled`, I assume that means I have enabled allowing of some action? So enabling flags is effectively disabling SIP, right? 

Screen Shot 2023-07-29 at 1.57.39 PM.png

On 7/30/2023 at 12:17 AM, Mechanica said:

Can someone point me to a comprehensive overview of how csr flags actually work? The is csrstat readout is confusing. What is `1 (disabled)` vs `1 (enabled)` mean for a given flag? Is a value of `1` enabled, or disabled, or it means something else entirely? If a flag `ALLOW_[etc]` is `enabled`, I assume that means I have enabled allowing of some action? So enabling flags is effectively disabling SIP, right? 

Screen Shot 2023-07-29 at 1.57.39 PM.png

Right.

Setting bit 0 (0x01) is equivalent to "--without kext" which means ALLOW UNTRUSTED KEXTS. This is usual setting to allow hackintosh kexts to work. I confirm this with VoodooHDA which will not work if the bit is equal to zero.

  • Like 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...