CsrUtil: Update OC SIP disabled default; document problematic SIP bits

Application/CsrUtil/CsrUtil.c

@@ -86,11 +86,11 @@ PrintUsage (
   Print (L"    clear\n");
   Print (L"        Clear the existing configuration.\n");
   Print (L"    disable [<csr-value>]\n");
-  Print (L"        Disable the protection on the machine (use default 0x%x or csr value).\n", CSR_APPLE_DISABLE_SIP_DEFAULT);
+  Print (L"        Disable the protection on the machine (use default 0x%x or csr value).\n", OC_CSR_DISABLE_FLAGS);
   Print (L"    enable [<csr-value>]\n");
   Print (L"        Enable the protection on the machine (use 0 or other legal csr value).\n");
   Print (L"    toggle [<csr-value>]\n");
-  Print (L"        Toggle the protection on the machine (use default 0x%x or csr value).\n", CSR_APPLE_DISABLE_SIP_DEFAULT);
+  Print (L"        Toggle the protection on the machine (use default 0x%x or csr value).\n", OC_CSR_DISABLE_FLAGS);
   Print (L"    status\n");
   Print (L"        Display the current configuration.\n");
   Print (L"\n");
@@ -196,7 +196,7 @@ UefiMain (
       // Disable; allow anything except valid enable values
       //
       if (Argc == 2) {
-        CsrConfig = CSR_APPLE_DISABLE_SIP_DEFAULT;
+        CsrConfig = OC_CSR_DISABLE_FLAGS;
       } else {
         if ((Data & ~CSR_ALLOW_APPLE_INTERNAL) == 0) {
           Print (L"Illegal value for %s\n", L"disable");
@@ -240,7 +240,7 @@ UefiMain (
       // Toggle; allow anything except valid enable values
       //
       if (Argc == 2) {
-        CsrConfig = CSR_APPLE_DISABLE_SIP_DEFAULT;
+        CsrConfig = OC_CSR_DISABLE_FLAGS;
       } else {
         if ((Data & ~CSR_ALLOW_APPLE_INTERNAL) == 0) {
           Print (L"Illegal value for %s\n", L"toggle");

Changelog.md

@@ -24,6 +24,8 @@ OpenCore Changelog
 - Defined bootloader flavours
 - Applied own flavour in OC build
 - Added CPU topology fixes to `ProvideCurrentCpuInfo` quirk
+- Updated OC default SIP disabled value
+- Documented SIP values which affect macOS updates
 
 #### v0.6.9
 - Fixed out-of-sync cursor movement rectangle when loading e.g. CrScreenshotDxe

Docs/Configuration.tex

@@ -3749,20 +3749,31 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log |
   entry for disabling and enabling System Integrity Protection in OpenCore picker.
 
   This will toggle Apple NVRAM variable \texttt{csr-active-config} between \texttt{0} for
-  SIP Enabled and the current macOS default for SIP Disabled (currently \texttt{0x6F}
-  for Big Sur).
+  SIP Enabled and a practical default value for SIP Disabled (currently \texttt{0x26F}).
 
-  \emph{Note1}: Using the SIP Disabled value from a newer version of macOS on an older version
-  (e.g. Catalina and below) will report an unknown setting if queried using \texttt{csrutil\ status},
-  but will still run correctly and be secure, because new bits are added but old bits
-  are not removed between versions of macOS. (It is possible to configure \texttt{CsrUtil.efi}
-  as a \texttt{TextMode} \texttt{Tools} entry to configure a different value, e.g. use \texttt{toggle\ 0x67}
-  in \texttt{Arguments} to toggle the default SIP Disabled value for macOS Catalina.)
-
-  \emph{Note2}: It is strongly recommended not to make a habit of running macOS with
+  \emph{Note1}: It is strongly recommended not to make a habit of running macOS with
   SIP disabled. Use of this boot option may make it easier to quickly disable SIP
   protection when genuinely needed - it should be re-enabled again afterwards.
 
+  \emph{Note2}: OC uses \texttt{0x26F} even though \texttt{csrutil disable} on Big Sur
+  sets \texttt{0x7F}. To explain the choice:
+  \begin{itemize}
+  \tightlist
+  \item \texttt{csrutil disable -{}-no-internal} actually sets \texttt{0x6F}, and this is
+  preferable because \texttt{CSR\_ALLOW\_APPLE\_INTERNAL} (\texttt{0x10}) prevents updates
+  (unless you are running an internal build of macOS).
+  \item \texttt{CSR\_ALLOW\_UNAPPROVED\_KEXTS} (\texttt{0x200}) is generally useful, in the case
+  where you do need to have SIP disabled, as it allows installing unsigned kexts without manual
+  approval in System Preferences.
+  \item \texttt{CSR\_ALLOW\_UNAUTHENTICATED\_ROOT} (\texttt{0x800}) is not practical as it prevents
+  incremental (non-full) OTA updates.
+  \end{itemize}
+ 
+  \emph{Note3}: For any other value which you may need to use, it is possible to
+  configure \texttt{CsrUtil.efi} as a \texttt{TextMode} \texttt{Tools} entry to configure a
+  different value, e.g. use \texttt{toggle\ 0x6F} in \texttt{Arguments} to toggle the
+  SIP disabled value set by default by \texttt{csrutil disable -{}-no-internal} in Big Sur.
+
 \item
   \texttt{ApECID}\\
   \textbf{Type}: \texttt{plist\ integer}, 64 bit\\

Include/Apple/IndustryStandard/AppleCsrConfig.h

@@ -52,16 +52,17 @@
 
 #define CSR_ALWAYS_ENFORCED_FLAGS (CSR_ALLOW_DEVICE_CONFIGURATION | CSR_ALLOW_ANY_RECOVERY_OS)
 
-///
-/// Value as applied by csrutil in latest macOS.
-/// Keep in sync with discovered non-internal Apple value; below is current for Big Sur.
-///
-#define CSR_APPLE_DISABLE_SIP_DEFAULT (CSR_ALLOW_UNTRUSTED_KEXTS | \
-                                       CSR_ALLOW_UNRESTRICTED_FS | \
-                                       CSR_ALLOW_TASK_FOR_PID | \
-                                       CSR_ALLOW_KERNEL_DEBUGGER | \
-                                       CSR_ALLOW_UNRESTRICTED_DTRACE | \
-                                       CSR_ALLOW_UNRESTRICTED_NVRAM )
+/* Flags set by default by Apple `csrutil disable`. */
+#define CSR_DISABLE_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \
+                           CSR_ALLOW_UNRESTRICTED_FS | \
+                           CSR_ALLOW_TASK_FOR_PID | \
+                           CSR_ALLOW_KERNEL_DEBUGGER | \
+                           CSR_ALLOW_APPLE_INTERNAL | \
+                           CSR_ALLOW_UNRESTRICTED_DTRACE | \
+                           CSR_ALLOW_UNRESTRICTED_NVRAM)
+
+/* Flags set by default by OC `csrutil disable`. */
+#define OC_CSR_DISABLE_FLAGS ((CSR_DISABLE_FLAGS & ~(CSR_ALLOW_APPLE_INTERNAL)) | CSR_ALLOW_UNAPPROVED_KEXTS)
 
 #define CSR_APPLE_SIP_NVRAM_ATTR       (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS)
 #define CSR_APPLE_SIP_NVRAM_NV_ATTR    (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_NON_VOLATILE)

Library/OcBootManagementLib/VariableManagement.c

@@ -418,7 +418,7 @@ InternalSystemActionToggleSip (
   VOID
   )
 {
-  return OcToggleSip (CSR_APPLE_DISABLE_SIP_DEFAULT);
+  return OcToggleSip (OC_CSR_DISABLE_FLAGS);
 }
 
 VOID