Jump to content
3 posts in this topic

Recommended Posts

I'm asking here, in the hackintosh community, because it seems there is more information available regarding SIP then there is on Apple forums.

 

I am trying to figure out how to disable SIP options individually. Most of them are already documented but a few others are not. I am most interested in turning off Boot-arg restrictions and can't find the `csrutil` argument to do so.

 

On macOS we use this command while in "recovery mode"

csrutil enable --without xxx

Using the arguments listed below...

 

Apple Internal:  (--no-internal)

Kext Signing:  (--without kext)

Filesystem Protections:  (--without fs)

Debugging Restrictions: (--without debug)

DTrace Restrictions:  (--without dtrace)

NVRAM Protections:  (--without nvram)

BaseSystem Verification:  (--without basesystem)

Boot-arg Restrictions: ?

Kernel Integrity Protections: ?

Authenticated Root Requirement: ?

 

The last three are a mystery.

 

I think not all capabilities can be set by csrutil arguments.

In hackintosh we set bit mask in the nvram variable "csr-active-config". It is defined in Apple XNU opensource.


/* CSR configuration flags */
#define CSR_ALLOW_UNTRUSTED_KEXTS               (1 << 0)
#define CSR_ALLOW_UNRESTRICTED_FS               (1 << 1)
#define CSR_ALLOW_TASK_FOR_PID                  (1 << 2)
#define CSR_ALLOW_KERNEL_DEBUGGER               (1 << 3)
#define CSR_ALLOW_APPLE_INTERNAL                (1 << 4)
#define CSR_ALLOW_DESTRUCTIVE_DTRACE                    (1 << 5) /* name deprecated */
#define CSR_ALLOW_UNRESTRICTED_DTRACE                   (1 << 5)
#define CSR_ALLOW_UNRESTRICTED_NVRAM                    (1 << 6)
#define CSR_ALLOW_DEVICE_CONFIGURATION                  (1 << 7)
#define CSR_ALLOW_ANY_RECOVERY_OS                       (1 << 8)
#define CSR_ALLOW_UNAPPROVED_KEXTS                      (1 << 9)
#define CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE    (1 << 10)
#define CSR_ALLOW_UNAUTHENTICATED_ROOT                  (1 << 11)

#define CSR_VALID_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \
	                         CSR_ALLOW_UNRESTRICTED_FS | \
	                         CSR_ALLOW_TASK_FOR_PID | \
	                         CSR_ALLOW_KERNEL_DEBUGGER | \
	                         CSR_ALLOW_APPLE_INTERNAL | \
	                         CSR_ALLOW_UNRESTRICTED_DTRACE | \
	                         CSR_ALLOW_UNRESTRICTED_NVRAM | \
	                         CSR_ALLOW_DEVICE_CONFIGURATION | \
	                         CSR_ALLOW_ANY_RECOVERY_OS | \
	                         CSR_ALLOW_UNAPPROVED_KEXTS | \
	                         CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE | \
	                         CSR_ALLOW_UNAUTHENTICATED_ROOT)

#define CSR_ALWAYS_ENFORCED_FLAGS (CSR_ALLOW_DEVICE_CONFIGURATION | CSR_ALLOW_ANY_RECOVERY_OS)

/* Flags set by `csrutil disable`. */
#define CSR_DISABLE_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \
	                   CSR_ALLOW_UNRESTRICTED_FS | \
	                   CSR_ALLOW_TASK_FOR_PID | \
	                   CSR_ALLOW_KERNEL_DEBUGGER | \
	                   CSR_ALLOW_APPLE_INTERNAL | \
	                   CSR_ALLOW_UNRESTRICTED_DTRACE | \
	                   CSR_ALLOW_UNRESTRICTED_NVRAM)

So, for example, 

csrutil disable 

will correspond to 0x7F same as

sudo nvram csr-active-config=%7f%00%00%00

Screenshot 2023-09-01 at 06.44.27.png

But we can't use csrutil as it works only in Recovery mode while after restart the bootloader will set own SIP value.

 

  • Like 1
  • 1 year later...

In general this table should give you visual overview.

csrstat should give you the actual bits in the booted system. Disregard the names as they might be incorrect, but the bits should be correct. Compile with:

cc csrstat.c -o csrstat

Apple internal bit behaves differently on apple hardware compared to hackintosh.

 

Querying:

strings /usr/bin/csrutil

Gives us some intuitive results:

Tc,N,GisARVSealingRequired
Tc,N,GisAppleInternalPolicyAllowed
Tc,N,GisDTraceRestricted
Tc,N,GisDebuggingRestricted
Tc,N,GisFilesystemAccessRestricted
Tc,N,GisKernelDebuggingRestricted
Tc,N,GisKextSigningRequired
Tc,N,GisNVRAMAccessRestricted
Tc,N,GisRecoveryVerificationRequired
Tc,N,GisResearchGuestAllowed
Tc,N,GisThirdPartyKextLoadingEnabled
Tc,R,GisFileVaultEnabled,V_fileVaultEnabled
Tc,R,GisLocked

 

Edited by startergo
Typo correct
  • Like 3

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...