Skip to content
This repository has been archived by the owner on Feb 15, 2024. It is now read-only.

Disabling System Integrity Protection #89

Closed
ManasMahapatra opened this issue Aug 6, 2019 · 12 comments
Closed

Disabling System Integrity Protection #89

ManasMahapatra opened this issue Aug 6, 2019 · 12 comments
Assignees
@myspaghetti
Labels
non-script Not likely an issue with the script

Comments

@ManasMahapatra
Copy link

I successfully set up The virtual machine with MacOS Mojave. However, for certain reasons, I need to disable the System Integrity Protection. Is there a way I can get into the recovery mode in the VM?
Host Machine: Ubuntu
@ManasMahapatra ManasMahapatra changed the title Disabling System Integrity Protocol Disabling System Integrity Protection Aug 6, 2019
@RicoVZ
Copy link

RicoVZ commented Aug 6, 2019

Hi contributors,

Thanks for the great setup script. It really helped.

Same issue/question here. I want to disable SIP.

To get into Recovery Mode, I re-attach the Base system VDI, boot into it, and disable SIP. However, after the restarting, Recovery mode is loaded again. It seems it will only boot into Recovery mode unless the Base system VDI is detached again.

The problem is that SIP is enabled again as soon as I boot into the OS, instead of Recovery mode.

I realize this might not be the best place to ask this question. 😅 Some tips/help to get us into the right direction would be greatly appreciated! 🙂

@myspaghetti myspaghetti added the non-script Not likely an issue with the script label Aug 9, 2019
@myspaghetti myspaghetti self-assigned this Aug 9, 2019
@myspaghetti
Copy link
Owner

You can create an NVRAM variable called csr-active-config and set it to 0x67, for example like so:

VBoxManage setextradata "${vmname}" "VBoxInternal/Devices/efi/0/LUN#0/Config/Vars/0002/Uuid" "7C436110-AB2A-4BBB-A880-FE41995C9F82"
VBoxManage setextradata "${vmname}" "VBoxInternal/Devices/efi/0/LUN#0/Config/Vars/0002/Name" "csr-active-config"
VBoxManage setextradata "${vmname}" "VBoxInternal/Devices/efi/0/LUN#0/Config/Vars/0002/Value" "bytes:$(echo -n '0x67' | xxd -r -p | base64)"

Please mind that I haven't tested this, and the csr-active-config variable might be stored elsewhere.

Additional interesting NVRAM variables found in this repository by erikberglund.

@RicoVZ
Copy link

RicoVZ commented Aug 9, 2019

We'll try that. Thanks for the response @myspaghetti. It is very much appreciated! 😄

@myspaghetti
Copy link
Owner

Tested, doesn't work. I recommend copying the value of csr-data from a genuine Mac with CSR disabled, that might work.

@myspaghetti
Copy link
Owner

@RicoVZ @ManasMahapatra the following disables CSR:

VBoxManage setextradata "${vmname}" "VBoxInternal/Devices/efi/0/LUN#0/Config/Vars/0003/Uuid" "7C436110-AB2A-4BBB-A880-FE41995C9F82"
VBoxManage setextradata "${vmname}" "VBoxInternal/Devices/efi/0/LUN#0/Config/Vars/0003/Name" "csr-active-config"
VBoxManage setextradata "${vmname}" "VBoxInternal/Devices/efi/0/LUN#0/Config/Vars/0003/Value" "bytes:$(echo -n '0x77' | xxd -r -p | base64)"

The csr-active-config value is 0x77 (in base16 encoded as base64). Make sure the EFI variable index is unique, for example if 0003 is already assigned, use 0004 and so on.

@ManasMahapatra
Copy link
Author

Will try that. Thanks for all the help, @myspaghetti .

@mataps
Copy link

mataps commented Aug 13, 2019
edited
Loading

Hello guys, I found out that this works for windows. Haven't tested on other hosts.

VBoxManage setextradata "macOS" "VBoxInternal/Devices/efi/0/LUN#0/Config/Vars/0002/Uuid" "7C436110-AB2A-4BBB-A880-FE41995C9F82"
VBoxManage setextradata "macOS" "VBoxInternal/Devices/efi/0/LUN#0/Config/Vars/0002/Name" "csr-active-config"
VBoxManage setextradata "macOS" "VBoxInternal/Devices/efi/0/LUN#0/Config/Vars/0002/Value" "bytes:dwAAAA=="

@myspaghetti
Copy link
Owner

@mataps you don't need the extra three bytes after 0x77 (0x77 0x00 0x00 0x00). The NVRAM variable has been incorporated into the script.

@mataps
Copy link

mataps commented Aug 15, 2019

@myspaghetti You're right, for some reason base64 didn't work for me during that time. So I went and used a web-based base64 encoder which added those extra bytes. I should use dw== instead, thanks @myspaghetti

@myspaghetti myspaghetti mentioned this issue Sep 2, 2019
Closed
@dvcrn
Copy link

dvcrn commented Jun 23, 2020
edited
Loading

I tried this on a Catalina install (macOS host) and it resulted in the VM giving me a "Can't attach Nvram Storage driver". Can anyone confirm that this method works on catalina?

/EDIT: This has worked for me to get me into recovery and disable SIP: geerlingguy/macos-virtualbox-vm#46 (comment)

@myspaghetti
Copy link
Owner

@dvcrn this is an old issue that doesn't apply to current versions. You can disable SIP as described in the documentation.

@crashbandicode
Copy link

Just leaving this to help anyone who may have run into issues following the documentation. Was small but basically after making the new ISO you need to mount it explicitly. When I rebooted after deleting the nvram etc it booted me into recovery for some reason. I restarted into macos picking the option without "base system" in the name. Then I logged in via ssh and mounted the iso using diskutils. After that I was able to follow the rest of the documentation and copy everything over to EFI. Everything is working now.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@myspaghetti myspaghetti

Labels
non-script Not likely an issue with the script
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@dvcrn @mataps @RicoVZ @ManasMahapatra @myspaghetti @crashbandicode