Results 1 to 1 of 1

Thread: Explaining OS X El Capitan Security Changes - Workarounds and Current Information

  1. #1

    Exclamation Explaining OS X El Capitan Security Changes - Workarounds and Current Information

    Over the past few OS X releases, Apple has tightened system security. They have gradually begun to bring OS X in line with iOS in terms of locking down certain areas of the system to the user.

    In OS X El Capitan Apple has implemented ‘rootless’ security or System Integrity Protection (SIP). This locks down system folders and files against hacks and root attacks, thus keeping the system safer. As good as this is for security, it has made things much harder for the hackintosh community, requiring workarounds for established methods of installation and maintenance for generic PCs. It has become necessary to make drastic changes in order to modify current tools to inject unsigned kexts and alter system kexts. These changes are in testing and yet to be completed for the legacy bootloaders Chameleon/Chimera and the EFI bootloader Clover.

    Starting with OS X 10.10 Yosemite, in order to load unsigned kexts the user had to pass the boot flag kext-dev-mode=1. As of OS X 10.11 El Capitan, that option is not available anymore.

    Early OS X 10.11 El Capitan betas contained a new boot flag to disable rootless security called rootless=0. This has been removed in recent beta builds, and replaced with NVRAM csr-active-config. This provides much finer grained control over SIP, allowing the user to toggle the new rootless security options on and off either completely or partially. OS X also contains a new application on the Recovery Partition to enable or disable SIP.

    A good rule of thumb is when rebuilding kernel cache on a hackintosh, SIP must be disabled. SIP must be disabled in order to install anything to protected system folders. SIP can also be disabled partially, to allow unsigned kexts in cache and install to protected folders.

    We will likely eventually recommend that SIP be disabled from the beginning of the installation through post-installation process. After everything is set, and the user is successfully booting, SIP can be re-enabled.

    As of today, the only bootloader that will inject kexts into protected cache and adjust SIP settings on the fly is Clover v3259 or later. Clover can set csr-active-config with config.plist/RtVariables/CsrActiveConfig and config.plist/RtVariables/BooterConfig=0x28.

    Relevant user options for SIP are as follows:
    csr-active-config 0x0 = SIP Enabled (Default)
    csr-active-config 0x3 = SIP Partially Disabled (Loads unsigned kexts)
    csr-active-config 0x67 = SIP Disabled completely

    Clover config.plist:
    As far as system protection goes, this is all new. OS X hasn’t had this level of system security before, and at this point it seems as if users can simply take it or leave it at their own risk. As Rehabman wisely said, “The sky will not fall if you disable SIP… it is equivalent to the security scenario we’ve been using on hacks for a long time.”

    We expect that by the official launch of OS X El Capitan, bootloaders will be fixed and methods will be solidified. Guides and complete solutions should be available even for the most novice of users. For now, we've updated our El Capitan Public Beta USB installation guide with config.plist examples that will work with the latest Public Betas.

    How to Create a OS X El Capitan Public Beta Installation USB Using Clover

    Special Thanks to toleda and RehabMan for their contributions to this report. Credit to Piker Alpha for his amazing in depth explanations on his blog.

    Clover EFI bootloader download |

    From Tonymacx86 at, Explaining OS X El Capitan Security Changes - Workarounds and Current Information
    Last edited by Janis.Y.Chen; Thu 20th August '15 at 1:42pm.
    Clinical Pharmacy Specialist - Infectious Diseases

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts