diff --git a/Application/CsrUtil/CsrUtil.c b/Application/CsrUtil/CsrUtil.c index 4c36a1ba37bd896a29c91c620e800d2a51fa341b..383dc5c8dd756f68f0855f30ed72caec0f999e2c 100644 --- a/Application/CsrUtil/CsrUtil.c +++ b/Application/CsrUtil/CsrUtil.c @@ -86,11 +86,11 @@ PrintUsage ( Print (L" clear\n"); Print (L" Clear the existing configuration.\n"); Print (L" disable []\n"); - Print (L" Disable the protection on the machine (use default 0x%x or csr value).\n", CSR_APPLE_DISABLE_SIP_DEFAULT); + Print (L" Disable the protection on the machine (use default 0x%x or csr value).\n", OC_CSR_DISABLE_FLAGS); Print (L" enable []\n"); Print (L" Enable the protection on the machine (use 0 or other legal csr value).\n"); Print (L" toggle []\n"); - Print (L" Toggle the protection on the machine (use default 0x%x or csr value).\n", CSR_APPLE_DISABLE_SIP_DEFAULT); + Print (L" Toggle the protection on the machine (use default 0x%x or csr value).\n", OC_CSR_DISABLE_FLAGS); Print (L" status\n"); Print (L" Display the current configuration.\n"); Print (L"\n"); @@ -196,7 +196,7 @@ UefiMain ( // Disable; allow anything except valid enable values // if (Argc == 2) { - CsrConfig = CSR_APPLE_DISABLE_SIP_DEFAULT; + CsrConfig = OC_CSR_DISABLE_FLAGS; } else { if ((Data & ~CSR_ALLOW_APPLE_INTERNAL) == 0) { Print (L"Illegal value for %s\n", L"disable"); @@ -240,7 +240,7 @@ UefiMain ( // Toggle; allow anything except valid enable values // if (Argc == 2) { - CsrConfig = CSR_APPLE_DISABLE_SIP_DEFAULT; + CsrConfig = OC_CSR_DISABLE_FLAGS; } else { if ((Data & ~CSR_ALLOW_APPLE_INTERNAL) == 0) { Print (L"Illegal value for %s\n", L"toggle"); diff --git a/Changelog.md b/Changelog.md index 7224a30d81688fb315bd5149f61c492695a8f2fb..6ce2de7e5855097f979ea26c72a4b745f8899c35 100644 --- a/Changelog.md +++ b/Changelog.md @@ -24,6 +24,8 @@ OpenCore Changelog - Defined bootloader flavours - Applied own flavour in OC build - Added CPU topology fixes to `ProvideCurrentCpuInfo` quirk +- Updated OC default SIP disabled value +- Documented SIP values which affect macOS updates #### v0.6.9 - Fixed out-of-sync cursor movement rectangle when loading e.g. CrScreenshotDxe diff --git a/Docs/Configuration.tex b/Docs/Configuration.tex index 7cdac76c5f285c13290f991b019f3986a051dab0..c5d0990891bc751cd7cbff23d26f7ecc1ac59573 100755 --- a/Docs/Configuration.tex +++ b/Docs/Configuration.tex @@ -3749,20 +3749,31 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log | entry for disabling and enabling System Integrity Protection in OpenCore picker. This will toggle Apple NVRAM variable \texttt{csr-active-config} between \texttt{0} for - SIP Enabled and the current macOS default for SIP Disabled (currently \texttt{0x6F} - for Big Sur). + SIP Enabled and a practical default value for SIP Disabled (currently \texttt{0x26F}). - \emph{Note1}: Using the SIP Disabled value from a newer version of macOS on an older version - (e.g. Catalina and below) will report an unknown setting if queried using \texttt{csrutil\ status}, - but will still run correctly and be secure, because new bits are added but old bits - are not removed between versions of macOS. (It is possible to configure \texttt{CsrUtil.efi} - as a \texttt{TextMode} \texttt{Tools} entry to configure a different value, e.g. use \texttt{toggle\ 0x67} - in \texttt{Arguments} to toggle the default SIP Disabled value for macOS Catalina.) - - \emph{Note2}: It is strongly recommended not to make a habit of running macOS with + \emph{Note1}: It is strongly recommended not to make a habit of running macOS with SIP disabled. Use of this boot option may make it easier to quickly disable SIP protection when genuinely needed - it should be re-enabled again afterwards. + \emph{Note2}: OC uses \texttt{0x26F} even though \texttt{csrutil disable} on Big Sur + sets \texttt{0x7F}. To explain the choice: + \begin{itemize} + \tightlist + \item \texttt{csrutil disable -{}-no-internal} actually sets \texttt{0x6F}, and this is + preferable because \texttt{CSR\_ALLOW\_APPLE\_INTERNAL} (\texttt{0x10}) prevents updates + (unless you are running an internal build of macOS). + \item \texttt{CSR\_ALLOW\_UNAPPROVED\_KEXTS} (\texttt{0x200}) is generally useful, in the case + where you do need to have SIP disabled, as it allows installing unsigned kexts without manual + approval in System Preferences. + \item \texttt{CSR\_ALLOW\_UNAUTHENTICATED\_ROOT} (\texttt{0x800}) is not practical as it prevents + incremental (non-full) OTA updates. + \end{itemize} + + \emph{Note3}: For any other value which you may need to use, it is possible to + configure \texttt{CsrUtil.efi} as a \texttt{TextMode} \texttt{Tools} entry to configure a + different value, e.g. use \texttt{toggle\ 0x6F} in \texttt{Arguments} to toggle the + SIP disabled value set by default by \texttt{csrutil disable -{}-no-internal} in Big Sur. + \item \texttt{ApECID}\\ \textbf{Type}: \texttt{plist\ integer}, 64 bit\\ diff --git a/Include/Apple/IndustryStandard/AppleCsrConfig.h b/Include/Apple/IndustryStandard/AppleCsrConfig.h index c48a72320b3424027bca0e2fa22174ebc493c159..a5eb42171c80e92fc708fd7caac80ca83f2e518a 100644 --- a/Include/Apple/IndustryStandard/AppleCsrConfig.h +++ b/Include/Apple/IndustryStandard/AppleCsrConfig.h @@ -52,16 +52,17 @@ #define CSR_ALWAYS_ENFORCED_FLAGS (CSR_ALLOW_DEVICE_CONFIGURATION | CSR_ALLOW_ANY_RECOVERY_OS) -/// -/// Value as applied by csrutil in latest macOS. -/// Keep in sync with discovered non-internal Apple value; below is current for Big Sur. -/// -#define CSR_APPLE_DISABLE_SIP_DEFAULT (CSR_ALLOW_UNTRUSTED_KEXTS | \ - CSR_ALLOW_UNRESTRICTED_FS | \ - CSR_ALLOW_TASK_FOR_PID | \ - CSR_ALLOW_KERNEL_DEBUGGER | \ - CSR_ALLOW_UNRESTRICTED_DTRACE | \ - CSR_ALLOW_UNRESTRICTED_NVRAM ) +/* Flags set by default by Apple `csrutil disable`. */ +#define CSR_DISABLE_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \ + CSR_ALLOW_UNRESTRICTED_FS | \ + CSR_ALLOW_TASK_FOR_PID | \ + CSR_ALLOW_KERNEL_DEBUGGER | \ + CSR_ALLOW_APPLE_INTERNAL | \ + CSR_ALLOW_UNRESTRICTED_DTRACE | \ + CSR_ALLOW_UNRESTRICTED_NVRAM) + +/* Flags set by default by OC `csrutil disable`. */ +#define OC_CSR_DISABLE_FLAGS ((CSR_DISABLE_FLAGS & ~(CSR_ALLOW_APPLE_INTERNAL)) | CSR_ALLOW_UNAPPROVED_KEXTS) #define CSR_APPLE_SIP_NVRAM_ATTR (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS) #define CSR_APPLE_SIP_NVRAM_NV_ATTR (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_NON_VOLATILE) diff --git a/Library/OcBootManagementLib/VariableManagement.c b/Library/OcBootManagementLib/VariableManagement.c index b0f431fc3538718e714602b310759ce5b294da95..eaf09aeb8c705419012ba4e2ce4ad5b34007eede 100644 --- a/Library/OcBootManagementLib/VariableManagement.c +++ b/Library/OcBootManagementLib/VariableManagement.c @@ -418,7 +418,7 @@ InternalSystemActionToggleSip ( VOID ) { - return OcToggleSip (CSR_APPLE_DISABLE_SIP_DEFAULT); + return OcToggleSip (OC_CSR_DISABLE_FLAGS); } VOID