Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
btwise
OpenCorePKG_MOD
提交
36b04ca3
O
OpenCorePKG_MOD
项目概览
btwise
/
OpenCorePKG_MOD
通知
26
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
OpenCorePKG_MOD
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
36b04ca3
编写于
5月 30, 2021
作者:
M
MikeBeaton
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
CsrUtil: Update OC SIP disabled default; document problematic SIP bits
上级
17df955a
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
39 addition
and
25 deletion
+39
-25
Application/CsrUtil/CsrUtil.c
Application/CsrUtil/CsrUtil.c
+4
-4
Changelog.md
Changelog.md
+2
-0
Docs/Configuration.tex
Docs/Configuration.tex
+21
-10
Include/Apple/IndustryStandard/AppleCsrConfig.h
Include/Apple/IndustryStandard/AppleCsrConfig.h
+11
-10
Library/OcBootManagementLib/VariableManagement.c
Library/OcBootManagementLib/VariableManagement.c
+1
-1
未找到文件。
Application/CsrUtil/CsrUtil.c
浏览文件 @
36b04ca3
...
@@ -86,11 +86,11 @@ PrintUsage (
...
@@ -86,11 +86,11 @@ PrintUsage (
Print
(
L" clear
\n
"
);
Print
(
L" clear
\n
"
);
Print
(
L" Clear the existing configuration.
\n
"
);
Print
(
L" Clear the existing configuration.
\n
"
);
Print
(
L" disable [<csr-value>]
\n
"
);
Print
(
L" disable [<csr-value>]
\n
"
);
Print
(
L" Disable the protection on the machine (use default 0x%x or csr value).
\n
"
,
CSR_APPLE_DISABLE_SIP_DEFAULT
);
Print
(
L" Disable the protection on the machine (use default 0x%x or csr value).
\n
"
,
OC_CSR_DISABLE_FLAGS
);
Print
(
L" enable [<csr-value>]
\n
"
);
Print
(
L" enable [<csr-value>]
\n
"
);
Print
(
L" Enable the protection on the machine (use 0 or other legal csr value).
\n
"
);
Print
(
L" Enable the protection on the machine (use 0 or other legal csr value).
\n
"
);
Print
(
L" toggle [<csr-value>]
\n
"
);
Print
(
L" toggle [<csr-value>]
\n
"
);
Print
(
L" Toggle the protection on the machine (use default 0x%x or csr value).
\n
"
,
CSR_APPLE_DISABLE_SIP_DEFAULT
);
Print
(
L" Toggle the protection on the machine (use default 0x%x or csr value).
\n
"
,
OC_CSR_DISABLE_FLAGS
);
Print
(
L" status
\n
"
);
Print
(
L" status
\n
"
);
Print
(
L" Display the current configuration.
\n
"
);
Print
(
L" Display the current configuration.
\n
"
);
Print
(
L"
\n
"
);
Print
(
L"
\n
"
);
...
@@ -196,7 +196,7 @@ UefiMain (
...
@@ -196,7 +196,7 @@ UefiMain (
// Disable; allow anything except valid enable values
// Disable; allow anything except valid enable values
//
//
if
(
Argc
==
2
)
{
if
(
Argc
==
2
)
{
CsrConfig
=
CSR_APPLE_DISABLE_SIP_DEFAULT
;
CsrConfig
=
OC_CSR_DISABLE_FLAGS
;
}
else
{
}
else
{
if
((
Data
&
~
CSR_ALLOW_APPLE_INTERNAL
)
==
0
)
{
if
((
Data
&
~
CSR_ALLOW_APPLE_INTERNAL
)
==
0
)
{
Print
(
L"Illegal value for %s
\n
"
,
L"disable"
);
Print
(
L"Illegal value for %s
\n
"
,
L"disable"
);
...
@@ -240,7 +240,7 @@ UefiMain (
...
@@ -240,7 +240,7 @@ UefiMain (
// Toggle; allow anything except valid enable values
// Toggle; allow anything except valid enable values
//
//
if
(
Argc
==
2
)
{
if
(
Argc
==
2
)
{
CsrConfig
=
CSR_APPLE_DISABLE_SIP_DEFAULT
;
CsrConfig
=
OC_CSR_DISABLE_FLAGS
;
}
else
{
}
else
{
if
((
Data
&
~
CSR_ALLOW_APPLE_INTERNAL
)
==
0
)
{
if
((
Data
&
~
CSR_ALLOW_APPLE_INTERNAL
)
==
0
)
{
Print
(
L"Illegal value for %s
\n
"
,
L"toggle"
);
Print
(
L"Illegal value for %s
\n
"
,
L"toggle"
);
...
...
Changelog.md
浏览文件 @
36b04ca3
...
@@ -24,6 +24,8 @@ OpenCore Changelog
...
@@ -24,6 +24,8 @@ OpenCore Changelog
-
Defined bootloader flavours
-
Defined bootloader flavours
-
Applied own flavour in OC build
-
Applied own flavour in OC build
-
Added CPU topology fixes to
`ProvideCurrentCpuInfo`
quirk
-
Added CPU topology fixes to
`ProvideCurrentCpuInfo`
quirk
-
Updated OC default SIP disabled value
-
Documented SIP values which affect macOS updates
#### v0.6.9
#### v0.6.9
-
Fixed out-of-sync cursor movement rectangle when loading e.g. CrScreenshotDxe
-
Fixed out-of-sync cursor movement rectangle when loading e.g. CrScreenshotDxe
...
...
Docs/Configuration.tex
浏览文件 @
36b04ca3
...
@@ -3749,20 +3749,31 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log |
...
@@ -3749,20 +3749,31 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log |
entry for disabling and enabling System Integrity Protection in OpenCore picker.
entry for disabling and enabling System Integrity Protection in OpenCore picker.
This will toggle Apple NVRAM variable
\texttt
{
csr-active-config
}
between
\texttt
{
0
}
for
This will toggle Apple NVRAM variable
\texttt
{
csr-active-config
}
between
\texttt
{
0
}
for
SIP Enabled and the current macOS default for SIP Disabled (currently
\texttt
{
0x6F
}
SIP Enabled and a practical default value for SIP Disabled (currently
\texttt
{
0x26F
}
).
for Big Sur).
\emph
{
Note1
}
: Using the SIP Disabled value from a newer version of macOS on an older version
\emph
{
Note1
}
: It is strongly recommended not to make a habit of running macOS with
(e.g. Catalina and below) will report an unknown setting if queried using
\texttt
{
csrutil
\
status
}
,
but will still run correctly and be secure, because new bits are added but old bits
are not removed between versions of macOS. (It is possible to configure
\texttt
{
CsrUtil.efi
}
as a
\texttt
{
TextMode
}
\texttt
{
Tools
}
entry to configure a different value, e.g. use
\texttt
{
toggle
\
0x67
}
in
\texttt
{
Arguments
}
to toggle the default SIP Disabled value for macOS Catalina.)
\emph
{
Note2
}
: It is strongly recommended not to make a habit of running macOS with
SIP disabled. Use of this boot option may make it easier to quickly disable SIP
SIP disabled. Use of this boot option may make it easier to quickly disable SIP
protection when genuinely needed - it should be re-enabled again afterwards.
protection when genuinely needed - it should be re-enabled again afterwards.
\emph
{
Note2
}
: OC uses
\texttt
{
0x26F
}
even though
\texttt
{
csrutil disable
}
on Big Sur
sets
\texttt
{
0x7F
}
. To explain the choice:
\begin{itemize}
\tightlist
\item
\texttt
{
csrutil disable -
{}
-no-internal
}
actually sets
\texttt
{
0x6F
}
, and this is
preferable because
\texttt
{
CSR
\_
ALLOW
\_
APPLE
\_
INTERNAL
}
(
\texttt
{
0x10
}
) prevents updates
(unless you are running an internal build of macOS).
\item
\texttt
{
CSR
\_
ALLOW
\_
UNAPPROVED
\_
KEXTS
}
(
\texttt
{
0x200
}
) is generally useful, in the case
where you do need to have SIP disabled, as it allows installing unsigned kexts without manual
approval in System Preferences.
\item
\texttt
{
CSR
\_
ALLOW
\_
UNAUTHENTICATED
\_
ROOT
}
(
\texttt
{
0x800
}
) is not practical as it prevents
incremental (non-full) OTA updates.
\end{itemize}
\emph
{
Note3
}
: For any other value which you may need to use, it is possible to
configure
\texttt
{
CsrUtil.efi
}
as a
\texttt
{
TextMode
}
\texttt
{
Tools
}
entry to configure a
different value, e.g. use
\texttt
{
toggle
\
0x6F
}
in
\texttt
{
Arguments
}
to toggle the
SIP disabled value set by default by
\texttt
{
csrutil disable -
{}
-no-internal
}
in Big Sur.
\item
\item
\texttt
{
ApECID
}
\\
\texttt
{
ApECID
}
\\
\textbf
{
Type
}
:
\texttt
{
plist
\
integer
}
, 64 bit
\\
\textbf
{
Type
}
:
\texttt
{
plist
\
integer
}
, 64 bit
\\
...
...
Include/Apple/IndustryStandard/AppleCsrConfig.h
浏览文件 @
36b04ca3
...
@@ -52,16 +52,17 @@
...
@@ -52,16 +52,17 @@
#define CSR_ALWAYS_ENFORCED_FLAGS (CSR_ALLOW_DEVICE_CONFIGURATION | CSR_ALLOW_ANY_RECOVERY_OS)
#define CSR_ALWAYS_ENFORCED_FLAGS (CSR_ALLOW_DEVICE_CONFIGURATION | CSR_ALLOW_ANY_RECOVERY_OS)
///
/* Flags set by default by Apple `csrutil disable`. */
/// Value as applied by csrutil in latest macOS.
#define CSR_DISABLE_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \
/// Keep in sync with discovered non-internal Apple value; below is current for Big Sur.
CSR_ALLOW_UNRESTRICTED_FS | \
///
CSR_ALLOW_TASK_FOR_PID | \
#define CSR_APPLE_DISABLE_SIP_DEFAULT (CSR_ALLOW_UNTRUSTED_KEXTS | \
CSR_ALLOW_KERNEL_DEBUGGER | \
CSR_ALLOW_UNRESTRICTED_FS | \
CSR_ALLOW_APPLE_INTERNAL | \
CSR_ALLOW_TASK_FOR_PID | \
CSR_ALLOW_UNRESTRICTED_DTRACE | \
CSR_ALLOW_KERNEL_DEBUGGER | \
CSR_ALLOW_UNRESTRICTED_NVRAM)
CSR_ALLOW_UNRESTRICTED_DTRACE | \
CSR_ALLOW_UNRESTRICTED_NVRAM )
/* Flags set by default by OC `csrutil disable`. */
#define OC_CSR_DISABLE_FLAGS ((CSR_DISABLE_FLAGS & ~(CSR_ALLOW_APPLE_INTERNAL)) | CSR_ALLOW_UNAPPROVED_KEXTS)
#define CSR_APPLE_SIP_NVRAM_ATTR (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS)
#define CSR_APPLE_SIP_NVRAM_ATTR (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS)
#define CSR_APPLE_SIP_NVRAM_NV_ATTR (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_NON_VOLATILE)
#define CSR_APPLE_SIP_NVRAM_NV_ATTR (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_NON_VOLATILE)
...
...
Library/OcBootManagementLib/VariableManagement.c
浏览文件 @
36b04ca3
...
@@ -418,7 +418,7 @@ InternalSystemActionToggleSip (
...
@@ -418,7 +418,7 @@ InternalSystemActionToggleSip (
VOID
VOID
)
)
{
{
return
OcToggleSip
(
CSR_APPLE_DISABLE_SIP_DEFAULT
);
return
OcToggleSip
(
OC_CSR_DISABLE_FLAGS
);
}
}
VOID
VOID
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录