DISABLE_SIP doesn't seem to be working

[xaocon]

I thought that there was an issue with the way the prepare_iso.sh script was working with matches at first but now I've moved the csrutil disable line out of the conditional and redirected output to a file. I see now that when it's run there is a Successfully disabled System Integrity Protection. Please restart the machine for the changes to take effect. but when the system imported and brought up it is not disabled. I've been trying to boot the system into recovery so I can try again but I haven't figured out the magic needed to catch that at boot yet.

[timsutton]

In my experience it's possible to boot into it using Cmd+R if you're using VMware Fusion if you're quick enough. If you can't "catch" it in time, it's possible to set a bios boot delay parameters in VMX.

[xaocon]

Thanks @timsutton, I'm using VirtualBox and was never able to catch it. I did find a way to boot into recovery by catching the EFI menu and booting the recovery EFI directly. Upon entering recovery and disabling SIP there, the system now actually has SIP disabled.

Do you know if the DISABLE_SIP flag works for you when building the image @timsutton ? It would surprise me if an issue like this was specific to my setup and I'm pretty sure that I've done things correctly. As I had mentioned above, I've even logged the successful output of the command being run in veewee-config.pkg.

[timsutton]

My guess is that it's not possible to actually disable SIP on Vbox, because it relies on nvram variables being set. What's the output of nvram -p, both immediately after running csrutil disable and then once booted into the regular OS?

[wmiller848]

Ditto @xaocon experience with virtualbox 5.1.24 r117012 (Qt5.6.2).

Running MacOS Sierra 10.12.6 I can't even locate the recovery drive from the EFI Shell to attempt to boot into recovery mode command-r and other variants just drop me into the BIOS with no hope of booting into recovery.

I suspect based off @timsutton and other thoughts here even if I could boot into recovery mode to disable SIP the nvram reset that virtualbox does on boot is going to nullify it anyway.

Huge pain, just getting into KEXT development and I've spent 2 days trying to get a working virtual target machine to develop against :(

I think the resolution here is just shelling out some money for VMware Fusion?