Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
btwise
OpenCorePKG_MOD
提交
36b04ca3
O
OpenCorePKG_MOD
项目概览
btwise
/
OpenCorePKG_MOD
通知
26
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
OpenCorePKG_MOD
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
36b04ca3
编写于
5月 30, 2021
作者:
M
MikeBeaton
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
CsrUtil: Update OC SIP disabled default; document problematic SIP bits
上级
17df955a
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
39 addition
and
25 deletion
+39
-25
Application/CsrUtil/CsrUtil.c
Application/CsrUtil/CsrUtil.c
+4
-4
Changelog.md
Changelog.md
+2
-0
Docs/Configuration.tex
Docs/Configuration.tex
+21
-10
Include/Apple/IndustryStandard/AppleCsrConfig.h
Include/Apple/IndustryStandard/AppleCsrConfig.h
+11
-10
Library/OcBootManagementLib/VariableManagement.c
Library/OcBootManagementLib/VariableManagement.c
+1
-1
未找到文件。
Application/CsrUtil/CsrUtil.c
浏览文件 @
36b04ca3
...
...
@@ -86,11 +86,11 @@ PrintUsage (
Print
(
L" clear
\n
"
);
Print
(
L" Clear the existing configuration.
\n
"
);
Print
(
L" disable [<csr-value>]
\n
"
);
Print
(
L" Disable the protection on the machine (use default 0x%x or csr value).
\n
"
,
CSR_APPLE_DISABLE_SIP_DEFAULT
);
Print
(
L" Disable the protection on the machine (use default 0x%x or csr value).
\n
"
,
OC_CSR_DISABLE_FLAGS
);
Print
(
L" enable [<csr-value>]
\n
"
);
Print
(
L" Enable the protection on the machine (use 0 or other legal csr value).
\n
"
);
Print
(
L" toggle [<csr-value>]
\n
"
);
Print
(
L" Toggle the protection on the machine (use default 0x%x or csr value).
\n
"
,
CSR_APPLE_DISABLE_SIP_DEFAULT
);
Print
(
L" Toggle the protection on the machine (use default 0x%x or csr value).
\n
"
,
OC_CSR_DISABLE_FLAGS
);
Print
(
L" status
\n
"
);
Print
(
L" Display the current configuration.
\n
"
);
Print
(
L"
\n
"
);
...
...
@@ -196,7 +196,7 @@ UefiMain (
// Disable; allow anything except valid enable values
//
if
(
Argc
==
2
)
{
CsrConfig
=
CSR_APPLE_DISABLE_SIP_DEFAULT
;
CsrConfig
=
OC_CSR_DISABLE_FLAGS
;
}
else
{
if
((
Data
&
~
CSR_ALLOW_APPLE_INTERNAL
)
==
0
)
{
Print
(
L"Illegal value for %s
\n
"
,
L"disable"
);
...
...
@@ -240,7 +240,7 @@ UefiMain (
// Toggle; allow anything except valid enable values
//
if
(
Argc
==
2
)
{
CsrConfig
=
CSR_APPLE_DISABLE_SIP_DEFAULT
;
CsrConfig
=
OC_CSR_DISABLE_FLAGS
;
}
else
{
if
((
Data
&
~
CSR_ALLOW_APPLE_INTERNAL
)
==
0
)
{
Print
(
L"Illegal value for %s
\n
"
,
L"toggle"
);
...
...
Changelog.md
浏览文件 @
36b04ca3
...
...
@@ -24,6 +24,8 @@ OpenCore Changelog
-
Defined bootloader flavours
-
Applied own flavour in OC build
-
Added CPU topology fixes to
`ProvideCurrentCpuInfo`
quirk
-
Updated OC default SIP disabled value
-
Documented SIP values which affect macOS updates
#### v0.6.9
-
Fixed out-of-sync cursor movement rectangle when loading e.g. CrScreenshotDxe
...
...
Docs/Configuration.tex
浏览文件 @
36b04ca3
...
...
@@ -3749,20 +3749,31 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log |
entry for disabling and enabling System Integrity Protection in OpenCore picker.
This will toggle Apple NVRAM variable
\texttt
{
csr-active-config
}
between
\texttt
{
0
}
for
SIP Enabled and the current macOS default for SIP Disabled (currently
\texttt
{
0x6F
}
for Big Sur).
SIP Enabled and a practical default value for SIP Disabled (currently
\texttt
{
0x26F
}
).
\emph
{
Note1
}
: Using the SIP Disabled value from a newer version of macOS on an older version
(e.g. Catalina and below) will report an unknown setting if queried using
\texttt
{
csrutil
\
status
}
,
but will still run correctly and be secure, because new bits are added but old bits
are not removed between versions of macOS. (It is possible to configure
\texttt
{
CsrUtil.efi
}
as a
\texttt
{
TextMode
}
\texttt
{
Tools
}
entry to configure a different value, e.g. use
\texttt
{
toggle
\
0x67
}
in
\texttt
{
Arguments
}
to toggle the default SIP Disabled value for macOS Catalina.)
\emph
{
Note2
}
: It is strongly recommended not to make a habit of running macOS with
\emph
{
Note1
}
: It is strongly recommended not to make a habit of running macOS with
SIP disabled. Use of this boot option may make it easier to quickly disable SIP
protection when genuinely needed - it should be re-enabled again afterwards.
\emph
{
Note2
}
: OC uses
\texttt
{
0x26F
}
even though
\texttt
{
csrutil disable
}
on Big Sur
sets
\texttt
{
0x7F
}
. To explain the choice:
\begin{itemize}
\tightlist
\item
\texttt
{
csrutil disable -
{}
-no-internal
}
actually sets
\texttt
{
0x6F
}
, and this is
preferable because
\texttt
{
CSR
\_
ALLOW
\_
APPLE
\_
INTERNAL
}
(
\texttt
{
0x10
}
) prevents updates
(unless you are running an internal build of macOS).
\item
\texttt
{
CSR
\_
ALLOW
\_
UNAPPROVED
\_
KEXTS
}
(
\texttt
{
0x200
}
) is generally useful, in the case
where you do need to have SIP disabled, as it allows installing unsigned kexts without manual
approval in System Preferences.
\item
\texttt
{
CSR
\_
ALLOW
\_
UNAUTHENTICATED
\_
ROOT
}
(
\texttt
{
0x800
}
) is not practical as it prevents
incremental (non-full) OTA updates.
\end{itemize}
\emph
{
Note3
}
: For any other value which you may need to use, it is possible to
configure
\texttt
{
CsrUtil.efi
}
as a
\texttt
{
TextMode
}
\texttt
{
Tools
}
entry to configure a
different value, e.g. use
\texttt
{
toggle
\
0x6F
}
in
\texttt
{
Arguments
}
to toggle the
SIP disabled value set by default by
\texttt
{
csrutil disable -
{}
-no-internal
}
in Big Sur.
\item
\texttt
{
ApECID
}
\\
\textbf
{
Type
}
:
\texttt
{
plist
\
integer
}
, 64 bit
\\
...
...
Include/Apple/IndustryStandard/AppleCsrConfig.h
浏览文件 @
36b04ca3
...
...
@@ -52,16 +52,17 @@
#define CSR_ALWAYS_ENFORCED_FLAGS (CSR_ALLOW_DEVICE_CONFIGURATION | CSR_ALLOW_ANY_RECOVERY_OS)
///
/// Value as applied by csrutil in latest macOS.
/// Keep in sync with discovered non-internal Apple value; below is current for Big Sur.
///
#define CSR_APPLE_DISABLE_SIP_DEFAULT (CSR_ALLOW_UNTRUSTED_KEXTS | \
CSR_ALLOW_UNRESTRICTED_FS | \
CSR_ALLOW_TASK_FOR_PID | \
CSR_ALLOW_KERNEL_DEBUGGER | \
CSR_ALLOW_UNRESTRICTED_DTRACE | \
CSR_ALLOW_UNRESTRICTED_NVRAM )
/* Flags set by default by Apple `csrutil disable`. */
#define CSR_DISABLE_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \
CSR_ALLOW_UNRESTRICTED_FS | \
CSR_ALLOW_TASK_FOR_PID | \
CSR_ALLOW_KERNEL_DEBUGGER | \
CSR_ALLOW_APPLE_INTERNAL | \
CSR_ALLOW_UNRESTRICTED_DTRACE | \
CSR_ALLOW_UNRESTRICTED_NVRAM)
/* Flags set by default by OC `csrutil disable`. */
#define OC_CSR_DISABLE_FLAGS ((CSR_DISABLE_FLAGS & ~(CSR_ALLOW_APPLE_INTERNAL)) | CSR_ALLOW_UNAPPROVED_KEXTS)
#define CSR_APPLE_SIP_NVRAM_ATTR (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS)
#define CSR_APPLE_SIP_NVRAM_NV_ATTR (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_NON_VOLATILE)
...
...
Library/OcBootManagementLib/VariableManagement.c
浏览文件 @
36b04ca3
...
...
@@ -418,7 +418,7 @@ InternalSystemActionToggleSip (
VOID
)
{
return
OcToggleSip
(
CSR_APPLE_DISABLE_SIP_DEFAULT
);
return
OcToggleSip
(
OC_CSR_DISABLE_FLAGS
);
}
VOID
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录