Closed 82ghost82 closed 3 years ago
82ghost82
commented
3 years ago Some additional data: tested with updated big sur 11.5 (20G71) and latest master oc debug.
Working case: no csr-active-config in config.plist booted and performed nvram reset booted to recovery and issued csrutil commands
NOT working case: csr-active-config in config.plist (enabled) booted and performed nvram reset booted to recovery and issued csrutil commands
mikebeaton
commented
3 years ago This should be to do with having WriteFlash=false in your config. If so, just use true (which is recommended default since the setting was added).
You might want to look up CsrUtil in the OC Configuration.pdf, as there is now an OC tool which lets you modify the SIP settings without having to boot all the way into recovery. (And which is compatible with volatile NVRAM settings, i.e. WriteFlash=false, if you do still want to use that.)
82ghost82
commented
3 years ago thank you Mike, indeed it was as you wrote, thank you very much again, my statistics of real opened issues decrease to 70% :)
Hi, I'm running Big sur 11.4 (20F71), but I remember I had this issue starting from Big Sur. Premise is that I'm running mac os with ovmf, so my efi vars are stored in OVMF_VARS.fd file. The sample.plist in oc repo contains the entry for csr-active-config equal to AAAAAA== (data, meaning sip enabled) in the add section only, so it is possible to override this value until a nvram reset or until the csr-active-config variable is manually deleted. If I set csr-active-config in my config.plist, the same as the sample.plist, and I boot into recovery, the command "csrutil disable" or "csrutil authenticated-root disable" (these as examples) output a message that it's not possible to change system integrity configuration. I remember that in older versions of big sur, starting from the betas, the message was different, something like "csrutil must be run from recovery" (...and yes, I was in recovery).
Update: I found from another discussion, dated 11 july 2020, what I wrote in the past with the first betas (JumpstartHotPlug=true was needed, but it was fixed later in oc): First thing to do is to ensure that you don't have csr-active-config key (opencore) in the add section of NVRAM: at the time of writing if you have some value in that field you will not be able to disable authenticated-root via recovery (if you boot into recovery with JumpstartHotPlug=true and give the command csrutil authenticated-root disable you will receive "csrutil: Failed to disable the authenticated root setting. This tool needs to be executed from the Recovery OS.").
If I delete the csr-active-config entry in the config.plist, and I boot into recovery I can run with success csrutil and I can manage sip without any problem. If I list the nvram variables I have no csr-active-config variable, but csrutil status returns enabled or disabled correctly, accordingly to the commands issued.
This behavior doesn't sound correct to me, is this something you experience in bare metal installations?maybe related to ovmf only?