<hr />
-<p>Apple's OS X 10.11 (aka <i>El Capitan</i>) includes a new feature, known as System Integrity Protection (SIP), aka "rootless" mode. To understand SIP, you should first know that Unix-like systems, including OS X, have traditionally provided a model of security in which ordinary users can read and write their own files (word processor documents, their own digital photos, etc.), but not system files (programs, system configuration files, etc.). This system security model has worked well for decades on traditional Unix systems, which have been administered by computer professionals and used by individuals with less experience. For administrative tasks, the <tt>root</tt> account is used; on Macs, this access is generally granted by the <tt>sudo</tt> command or by various GUI tools. Most Macs are single-user computers that are administered by their users. Such people often lack the knowledge of the professional system administrators who have traditionally managed Unix systems; but they must still perform system administration tasks such as installing new software and configuring network settings. OS X has always provided some measure of security by requiring users to enter their passwords before performing these dangerous tasks, and by providing GUI tools to help guide users through these tasks in a way that minimizes the risk of damage.</p>
+<div style="float:right; width:55%">
+
+<p>Apple's OS X 10.11 (aka <i>El Capitan</i>) includes a new feature, known as System Integrity Protection (SIP), aka "rootless" mode. This feature is causing some consternation for advanced users, because it restricts what you can do with your computer, even as <tt>root</tt>. This page is dedicated to this new feature, including basic information on why SIP exists, how to install rEFInd on a computer with SIP enabled, and how to use rEFInd to manage SIP.</p>
+
+</div>
+
+<div class="navbar">
+
+<h4 class="tight">Contents</h4>
+
+<ul>
+
+<li class="tight"><a href="#what_is">What Is SIP?</li>
+
+<li class="tight"><a href="#sip_enabled">Installing rEFInd with SIP Enabled</a>
+
+ <ul>
+
+ <li class="tight"><a href="#recovery">Using Recovery Mode</a>
+
+ <li class="tight"><a href="#disable">Disabling SIP</a>
+
+ <li class="tight"><a href="#another">Using Another OS</a>
+
+ </ul>
+
+</li>
+
+<li class="tight"><a href="#refind_manage">Using rEFInd to Manage SIP</a></li>
+
+<li class="tight"><a href="#conclusion">Conclusion</a></li>
+
+</ul>
+
+</div>
+
+<a name="what_is">
+<h2>What Is SIP?</h2>
+</a>
+
+<p>To understand SIP, you should first know that Unix-like systems, including OS X, have traditionally provided a model of security in which ordinary users can read and write their own files (word processor documents, their own digital photos, etc.), but cannot write to system files (programs, system configuration files, etc.)—and users cannot even read some system files. This system security model has worked well for decades on traditional Unix systems, which have been administered by computer professionals and used by individuals with less experience. For administrative tasks, the <tt>root</tt> account is used. On Macs, this access is generally granted by the <tt>sudo</tt> command or by various GUI tools. Most Macs are single-user computers that are administered by their users. Such people often lack the knowledge of the professional system administrators who have traditionally managed Unix systems; but they must still perform system administration tasks such as installing new software and configuring network settings. OS X has always provided some measure of security by requiring users to enter their passwords before performing these dangerous tasks, and by providing GUI tools to help guide users through these tasks in a way that minimizes the risk of damage.</p>
<p>Apple has apparently decided that these safeguards are no longer sufficient. I won't try to speak for Apple or explain their motivations, but the result of Apple's decisions is SIP. With SIP active, as is the default, OS X limits your ability to perform some of these administrative tasks. You can still install and remove most third-party programs, configure your network, and so on; but some critical directories can no longer be written, even as <tt>root</tt>, and some utilities cannot be used in certain ways, even as <tt>root</tt>. These restrictions impact rEFInd because one of the affected tools, a command called <tt>bless</tt>, is required to tell the Mac to boot rEFInd rather than to boot OS X directly.</p>
-<p>The end result of SIP is that rEFInd cannot be installed under OS X 10.11 in the way described on the <a href="installing.html">Installing rEFInd</a> page—at least, not without first booting into <a href="#recovery">Recovery mode,</a> in which SIP restrictions are ignored or <a href="#disable">disabling SIP.</a> This page covers these two options in more detail, as well as a third: <a href="#another">Using another OS</a> to install rEFInd.</p>
+<a name="sip_enabled">
+<h2>Installing rEFInd with SIP Enabled</h2>
+</a>
+
+<p>The end result of SIP is that rEFInd cannot be installed under OS X 10.11 in the way described on the <a href="installing.html">Installing rEFInd</a> page—at least, not without first booting into <a href="#recovery">Recovery mode,</a> in which SIP restrictions are ignored; or <a href="#disable">disabling SIP</a> (either temporarily or permanently). This page covers these two options in more detail, as well as a third: <a href="#another">Using another OS</a> to install rEFInd.</p>
<a name="recovery">
-<h2>Using Recovery Mode</h2>
+<h3>Using Recovery Mode</h3>
</a>
-<p>Unless you've deleted its partition, the Recovery HD partition should be present on your Mac as a way to perform emergency recovery operations. The nature of this tool means that SIP cannot be enabled, so you can install rEFInd from a boot to this partition. The trouble is that this installation is not a full-fledged OS X system, so you may have trouble using it if you're not comfortable with such a bare-bones environment. Nontheless, it is arguably the best way to install rEFInd on a Mac that runs OS X 10.11. To do so, follow these steps:</p>
+<p>Unless you've deleted it, the Recovery HD partition should be present on your Mac as a way to perform emergency recovery operations. The nature of this tool means that SIP cannot be enabled when using it, so you can install rEFInd from a boot to this partition. The trouble is that this installation is not a full-fledged OS X system, so you may have trouble using it if you're not comfortable with such a bare-bones environment. Nontheless, it is arguably the best way to install rEFInd on a Mac that runs OS X 10.11. To do so, follow these steps:</p>
<ol>
<li>Reboot the computer.</li>
-<li>At the startup chime, hold down the Option+R key combination. The computer should launch into the Recovery system. This is a very bare system, with only a window providing a way to launch a handful of utilities and a menu bar, as shown here:</li>
-
- <br /><center><img src="recovery-mode.png" align="center" width="814"
- height="514" alt="To install rEFInd, you must launch the Terminal from
- the menu bar." border=2> </center><br />
+<li>At the startup chime, hold down the Option+R key combination. The computer should launch into the Recovery system. This is a very bare system, with only a window providing a way to launch a handful of utilities and a menu bar. You must use the latter.</li>
<li>Select Utilities -> Terminal from the menu bar. A Terminal window should open.</li>
<li>Increase the size of the Terminal a bit. (This just makes its output more legible, since the next step produces long lines.)</li>
-<li>Type <tt class="userinput">df -h</tt> in the Terminal. This produces a list of partitions that are mounted. Locate the one on which you unpacked the rEFInd files. It will normally be <tt>/Volumes/<tt class="variable">Somename</tt></tt>, where <tt class="variable">Somename"</tt> is the volume's name.</li>
+<li>Type <tt class="userinput">df -h</tt> in the Terminal. This produces a list of partitions that are mounted. Locate the one on which you unpacked the rEFInd files. It will normally be <tt>/Volumes/<tt class="variable">Somename</tt></tt>, where <tt class="variable">Somename</tt> is the volume's name.</li>
-<li>In the Terminal, use <tt>cd</tt> to change to the directory where the rEFInd files you unpacked earlier are stored. For instance, on my MacBook, I would type <tt class="userinput">cd /Volumes/Macintosh\ HD/Users/rodsmith/Destkop/refind-0.9.3</tt>. Note that if any element of this path includes a space, you must either enclose the <i>entire path</i> in quotes or precede the space with a backslash (<tt>\</tt>), as in this example's <tt>Macintish\ HD</tt> volume name.</li>
+<li>In the Terminal, use <tt>cd</tt> to change to the directory where the rEFInd files you unpacked earlier are stored. For instance, on my MacBook, I would type <tt class="userinput">cd /Volumes/Macintosh\ HD/Users/rodsmith/Destkop/refind-0.10.1</tt>. Note that if any element of this path includes a space, you must either enclose the <i>entire path</i> in quotes or precede the space with a backslash (<tt>\</tt>), as in this example's <tt>Macintish\ HD</tt> volume name.</li>
<li>Type <tt class="userinput">ls</tt> to verify that <tt>refind-install</tt> is present in this directory.</li>
-<li>Type <tt>./refind-install</tt> to run the installation script.</li> It should run normally, as described on the <a href="installing.html">Installing rEFInd</a> page. You can add options, if you like, as described on the Installing rEFInd page. Alternatively, you can perform a manual installation, also as described on that page.</li>
+<li>Type <tt class="userinput">./refind-install</tt> to run the installation script. It should run normally, as described on the <a href="installing.html">Installing rEFInd</a> page. You can add options, if you like, as described on that page. Alternatively, you can perform a manual installation, also as described on that page.</li>
<li>Reboot.</li>
<p>At this point, rEFInd should come up and enable you to boot into OS X and any other OS(es) that are already installed. You should not need to perform these steps again unless OS X re-installs its own boot loader or a subsequent OS installation overrides the default boot option. You can install an updated rEFInd and it should install correctly, provided you're installing it to the EFI System Partition (ESP). The <tt>refind-install</tt> script may complain about a failure, but because you're overwriting one rEFInd binary with another one, it should continue to boot.</p>
<a name="disable">
-<h2>Disabling SIP</h2>
+<h3>Disabling SIP</h3>
</a>
<p>Another option is to disable SIP for your regular boot. This is a viable option if you're an expert who needs regular access to tools with which SIP interferes, such as low-level disk utilities. Regular users should probably avoid this option unless the preceding procedure does not work—and in that case, you should disable SIP temporarily and then re-enable it when you've finished installing rEFInd.</p>
<p>If you want to re-enable SIP, you can do so in exactly the way you disabled it, except that you should type <tt class="userinput">csrutil enable</tt> rather than <tt class="userinput">csrutil disable</tt> in the Recovery environment.</p>
<a name="another">
-<h2>Using Another OS</h2>
+<h3>Using Another OS</h3>
</a>
<p>A final option for installing rEFInd on a Mac that runs with SIP enabled is to do the installation using another OS. This other OS could be an OS that's already installed or an emergency boot disk, such as an <a href="http://www.ubuntu.com">Ubuntu</a> installation/recovery system.</p>
<p>I've tested this method of installing rEFInd on my MacBook Air, but I can't promise it will work on all Macs—or even on an identical Mac with a configuration that's different from mine. My preference is to install rEFInd under OS X on Macs, because Apple likes to do things differently from everybody else, and so a Mac's firmware might not react in the usual way to tools like <tt>efibootmgr</tt> in Linux or <tt>bcdedit</tt> in Windows.</p>
-<a name="conclusion">
-<h2>Conclusion</h2>
+<a name="refind_manage">
+<h2>Using rEFInd to Manage SIP</h2>
</a>
-<p>Although the goal of increased security is a good one, SIP is causing problems for intermediate and advanced users. The good news is that the process to install rEFInd on a system that runs OS X 10.11, although more complex than it used to be, is not an impossible one. Furthermore, once you've done it, you shouldn't have to do it again for a while. (An update to OS X's boot loader is entirely possible, though. If nothing else, the next major OS X update may require re-installing rEFInd.)</p>
+<p>Once rEFInd is installed, you can use it to manage SIP features; however, the rEFInd features needed to do this are disabled by default. You must uncomment or add two lines to your <tt>refind.conf</tt> file:</p>
+
+<p class="sidebar"><b>Note:</b> Apple code samples and technical discussions are filled with the acronym "CSR." I don't know for what this acronym stands, but as it appears to be used in preference to "SIP" or "rootless" when referring to specific values, I used it in the <tt>refind.conf</tt> files token names.</p>
+
+<ul>
+
+<li><tt class="userinput">showtools</tt>—This line specifies tools that appear on the second row of icons in rEFInd. The new tool for managing SIP is called <tt>csr_rotate</tt>, so you must uncomment <tt>showtools</tt> and add this option, or create a new <tt>showtools</tt> line.</li>
+
+<li><tt class="userinput">csr_values</tt>—This line lists the hexadecimal values through which you can rotate once <tt>csr_rotate</tt> is active on the <tt>showtools</tt> line. The trick to this token is selecting appropriate options. Several sites, such as <a href="http://www.idelta.info/archives/sip-rootless-internal-in-el-capitan/">this one</a> and <a href="http://osxarena.com/2015/10/guide-details-apples-system-integrity-protection-sip-for-hackintosh/">this one,</a> describe the meanings of the various options, but often not in much detail. Apple's own <tt>csrutil</tt> command sets values of 77 (disabled) or 10 (enabled). Note also that you specify hexadecimal values on this line, but without a leading <tt>0x</tt> or other hexadecimal-notation indicator. If you put gibberish values, or hexadecimal values higher than those used by SIP, rEFInd ignores the bad entries. Thus, if some of your values are being ignored, you should check your <tt>csr_values</tt> line for typos.</li>
+
+</ul>
+
+<p>Note that <i><b>both</b></i> of these options must be set appropriately. If either of them is missing or misconfigured, rEFInd will not display the new SIP tool. A typical configuration using these features might look like this:</p>
-<p></p>
+<pre class="listing">showtools shell,memtest,gdisk,csr_rotate,apple_recovery,windows_recovery,mok_tool,about,shutdown,reboot,firmware
+csr_values 10,77</pre>
+
+ <img src="func_csr_rotate.png" align="right" width="48" height="48"
+ alt="The SIP rotation tool rotates through all the CSR values you set"
+ border=2 background="gray"/>
+
+<p>Once these options are set and you reboot into rEFInd, you should see a new shield icon, as shown at the right. When you select this tool, rEFInd identifies the next available CSR value from the list you specified and switches to that mode, rotating back to the start of the list once the end is reached. To confirm that the SIP mode has changed, rEFInd displays, for three seconds, a message identifying the new mode.</p>
+
+<p>Whether or not you've enabled these SIP features in <tt>refind.conf</tt>, rEFInd displays the current SIP status on its "About" page:</p>
+
+ <br /><center><img src="about.png" align="center" width="525"
+ height="559" alt="rEFInd presents a graphical menu for selecting your
+ boot OS." border=2> </center><br />
+
+<p>Note the line that reads "System Integrity Protection is disabled (0x77)." This line will be updated whenever you use the CSR rotation tool, so if you've specified a large number of values and have forgotten where you are in your rotation, you can use the About screen to figure it out.</p>
+
+<p>Both the summary on the About page and the CSR rotation tool depend on the presence of the <tt>csr-active-config</tt> NVRAM variable, which is where this information is stored. Thus, these features will not be present on older Macs that have not seen the presence of an OS X version that sets this variable. Likewise, you probably won't see the SIP summary in About or be able to set these values via <tt>csr_rotate</tt> and <tt>csr_values</tt> on a UEFI-based PC. (You could always create the variable on such a system in some other way, in which case rEFInd would let you adjust it, but it would have no effect on any OS except OS X.)</p>
+
+<p>I provide these features in rEFInd as a convenience for developers and other advanced users who have a legitimate need to adjust their SIP settings. Using rEFInd for this purpose is much faster than booting into the OS X Recovery system to make these adjustments. I discourage others from playing with these settings, since changing them inappropriately could cause problems; that's why they're not enabled by default.</p>
+
+<a name="conclusion">
+<h2>Conclusion</h2>
+</a>
-<p></p>
+<p>Although the goal of increased security is a good one, SIP is causing problems for intermediate and advanced users. The good news is that the process to install rEFInd on a system that runs OS X 10.11, although more complex than it used to be, is not an impossible one. Furthermore, once you've done it, you shouldn't have to do it again for a while. (An update to OS X's boot loader is entirely possible, though. If nothing else, the next major OS X update may require re-installing rEFInd.) For advanced users, rEFInd can adjust SIP settings, which can be helpful if you occasionally want to do something that require greater-than-typical privileges.</p>
<hr />