From 0758b647b0411755825b59e9941963299df61e6d Mon Sep 17 00:00:00 2001 From: srs5694 Date: Thu, 5 Nov 2015 10:55:56 -0500 Subject: [PATCH] Enable SIP features on CD-R and USB flash drive images (leaving them disabled for regular installs). --- NEWS.txt | 18 ++++++++-------- docs/refind/sip.html | 49 ++++++++++++++++++++++++++++++++++++-------- mkcdimage | 4 +++- 3 files changed, 53 insertions(+), 18 deletions(-) diff --git a/NEWS.txt b/NEWS.txt index b9898dd..827ab96 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -2,15 +2,15 @@ ------------------- - Added new System Integrity Protection (SIP) rotation feature for Macs - running OS X 10.11 or later. This feature is disabled by default. To - enable it, you must make TWO changes to refind.conf: Uncomment the new - "csr_values" item and add "csr_rotate" to the "showtools" line - (uncommenting it, too, if it's commented out). If desired, you can set - more values on "csr_values"; these are comma-delimited one-byte - hexadecimal values that define various SIP states. When SIP/CSR rotation - is activated, a new shield icon appears among the tools. Selecting it - causes the next defined value to be set and a confirmation message to - appear for three seconds. + running OS X 10.11 or later. This feature is disabled by default, except + on CD-R and USB flash drive images, on which it's enabled. To enable it, + you must make TWO changes to refind.conf: Uncomment the new "csr_values" + item and add "csr_rotate" to the "showtools" line (uncommenting it, too, + if it's commented out). If desired, you can set more values on + "csr_values"; these are comma-delimited one-byte hexadecimal values that + define various SIP states. When SIP/CSR rotation is activated, a new + shield icon appears among the tools. Selecting it causes the next defined + value to be set and a confirmation message to appear for three seconds. - Added display of current System Integrity Protection (SIP) mode to "About" display. diff --git a/docs/refind/sip.html b/docs/refind/sip.html index 905e4a0..0973f40 100644 --- a/docs/refind/sip.html +++ b/docs/refind/sip.html @@ -131,7 +131,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

-

Apple's OS X 10.11 (aka El Capitan) includes a new feature, known as System Integrity Protection (SIP), aka "rootless" mode. This feature is causing some consternation for advanced users, because it restricts what you can do with your computer, even as root. This page is dedicated to this new feature, including basic information on why SIP exists, how to install rEFInd on a computer with SIP enabled, and how to use rEFInd to manage SIP.

+

Apple's OS X 10.11 (aka El Capitan) includes a new feature, known as System Integrity Protection (SIP), aka "rootless" mode. This feature is causing some consternation for advanced users, because it restricts what you can do with your computer, even as root. This page is dedicated to this new feature, including basic information on why SIP exists, how to install rEFInd on a computer with SIP enabled, and how to use rEFInd to manage SIP. Note that if you've come here for help installing rEFInd on a Mac with SIP enabled, you can click to one of the methods in the "Contents" box to the left of this paragraph. I recommend trying Recovery mode first; but if you have reason to try another method, you can do so.

@@ -147,15 +147,20 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

+
  • Using Another OS
    • - +
  • Using rEFInd to Manage SIP
    • @@ -201,7 +206,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

  • Type df -h in the Terminal. This produces a list of partitions that are mounted. Locate the one on which you unpacked the rEFInd files. It will normally be /Volumes/Somename, where Somename is the volume's name.
    • -
  • In the Terminal, use cd to change to the directory where the rEFInd files you unpacked earlier are stored. For instance, on my MacBook, I would type cd /Volumes/Macintosh\ HD/Users/rodsmith/Destkop/refind-0.10.1. Note that if any element of this path includes a space, you must either enclose the entire path in quotes or precede the space with a backslash (\), as in this example's Macintish\ HD volume name.
    • +
  • In the Terminal, use cd to change to the directory where the rEFInd files you unpacked earlier are stored. For instance, on my MacBook, I would type cd /Volumes/Macintosh\ HD/Users/rodsmith/Destkop/refind-0.10.0. Note that if any element of this path includes a space, you must either enclose the entire path in quotes or precede the space with a backslash (\), as in this example's Macintish\ HD volume name.
  • Type ls to verify that refind-install is present in this directory.
    • @@ -217,9 +222,13 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

    Disabling SIP

    -

    Another option is to disable SIP for your regular boot. This is a viable option if you're an expert who needs regular access to tools with which SIP interferes, such as low-level disk utilities. Regular users should probably avoid this option unless the preceding procedure does not work—and in that case, you should disable SIP temporarily and then re-enable it when you've finished installing rEFInd.

    +

    Another option is to disable SIP for your regular boot. This is a viable option if you're an expert who needs regular access to tools with which SIP interferes, such as low-level disk utilities. Regular users should probably avoid this option unless the preceding procedure does not work—and in that case, you should disable SIP temporarily and then re-enable it when you've finished installing rEFInd. On this page, I describe two methods of disabling SIP: using OS X's Recovery HD system and using rEFInd on CD-R or USB flash drive.

    + + +

    Disabling SIP with Recovery HD

    +     -

    To disable SIP, you must first boot into the Recovery HD, as in the previous procedure, and launch a Terminal window. Instead of locating and running the refind-instal script, though, you should type:

    +

    You can use the Recovery HD, as in the previous procedure, to disable SIP. To do so, boot it and launch a Terminal window, as described in the previous section. Instead of locating and running the refind-instal script, though, you should type:

    # csrutil disable
    @@ -229,6 +238,30 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

    If you want to re-enable SIP, you can do so in exactly the way you disabled it, except that you should type csrutil enable rather than csrutil disable in the Recovery environment.

    + +

    Disabling SIP with rEFInd

    +     + +

    As described later on this page, rEFInd provides SIP control features, but they're disabled by default—except on the USB flash drive and CD-R images available from the rEFInd downloads page. On these images, the SIP control features are enabled, and can toggle between the two main modes you can set via csrutil enable and csrutil disable in the Recovery HD system. Thus, to disable SIP to install rEFInd, you can:

    + +
      + +
    1. Download the USB flash drive or CD-R version of rEFInd, as suitable for your computer.
      2. + +
    2. Prepare a boot medium. With the CD-R image, you can use your favorite disc-burning software. With the USB flash drive image, you can use dd to copy the image to a blank disk, as in dd if=refind-flashdrive-0.10.0.img of=/dev/disk3 to write the image to /dev/disk3. Any existing data on the target disk will be destroyed! For this reason, it's imperative that you specify the correct target (of=) disk; if you accidentally point this command to your regular hard disk, recovery will be difficult!
      3. + +
    3. Reboot and hold down the Option (or Alt) key to see the Mac's built-in boot manager.
      4. + +
    4. Select your external boot medium to boot to rEFInd.
      5. + +
    5. Use the SIP "shield" icon on the second row to toggle between SIP setting, as described in more detail in Using rEFInd to Manage SIP.
      6. + +
    + +

    Once you install rEFInd, you can leave SIP enabled, adjust its SIP settings to enable the features from rEFInd and disable it from within your regular rEFInd, or boot again from your external rEFInd to disable SIP.

    + +

    This procedure has the advantage of being a bit quicker than using the Recovery HD—at least, if you've already got rEFInd 0.10.0 or later on an external medium. It will also work if your Recovery HD installation is missing or broken. On the other hand, it's probably easier to boot to the Recovery HD once or twice than to download and prepare a rEFInd boot medium. Also, some Macs are a little flaky when it comes to booting from external media, so you may have trouble booting in this way. Finally, if you don't already have rEFInd on an external medium and if you don't have an optical drive, writing a USB flash drive with dd carries a small risk of accidentally trashing your hard disk, particularly if you're unfamiliar with disk devices and dd.

    +

    Using Another OS

     diff --git a/mkcdimage b/mkcdimage index 3c8b58f..26cc785 100755 --- a/mkcdimage +++ b/mkcdimage @@ -35,7 +35,9 @@ cp $StartDir/shell*.efi ./ # EFI-boot CD... ln ../../refind/refind_ia32.efi ./bootia32.efi ln ../../refind/refind_x64.efi ./bootx64.efi -ln ../../refind/refind.conf-sample ./refind.conf +cp ../../refind/refind.conf-sample ./refind.conf +sed -i '/#showtools/a showtools shell,memtest,gdisk,apple_recovery,csr_rotate,windows_recovery,mok_tool,about,shutdown,reboot,firmware' refind.conf +sed -i '/#csr_values/a csr_values 10,77' refind.conf mkdir icons cd icons ln ../../../refind/icons/* ./ -- 2.39.2