From cf4d4184e6a83cf0784b5f95c1b5e4868384ae0b Mon Sep 17 00:00:00 2001
From: srs5694 <srs5694@users.sourceforge.net>
Date: Mon, 2 Nov 2015 22:45:08 -0500
Subject: [PATCH] Added summary of Apple System Integrity Protection (SIP)
 status to "About" menu.

---
 mountesp        | 19 +++++++++++++++++++
 refind/global.h | 19 +++++++++++++++++++
 refind/main.c   | 27 ++++++++++++++++++++++++++-
 3 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/mountesp b/mountesp
index e1c35a7..6459199 100755
--- a/mountesp
+++ b/mountesp
@@ -1,4 +1,18 @@
 #!/bin/bash
+#
+# Mac OS X script to locate and mount an EFI System Partition (ESP)
+#
+# Usage:
+#
+# ./mountesp
+#
+# This program is copyright (c) 2012-2015 by Roderick W. Smith
+# It is released under the terms of the GNU GPL, version 3,
+# a copy of which should be included in the file COPYING.txt.
+#
+# Revision history:
+#
+# 0.9.3   -- Initial release (with rEFInd 0.9.3)
 
 # Mount the ESP at /Volumes/ESP or determine its current mount
 # point.
@@ -25,10 +39,15 @@ MountOSXESP() {
         fi
     fi
     Esp=/dev/`echo $Temp`
+    echo "The ESP has been identified as $Esp; attempting to mount it...."
     # If the ESP is mounted, use its current mount point....
     Temp=`df -P | grep "$Esp "`
     MountPoint=`echo $Temp | cut -f 6- -d ' '`
     if [[ "$MountPoint" == '' ]] ; then
+        if [[ $UID != 0 ]] ; then
+            echo "You must run this program as root or using sudo! Exiting!"
+            exit 1
+        fi
         MountPoint="/Volumes/ESP"
         mkdir /Volumes/ESP &> /dev/null
         mount -t msdos "$Esp" /Volumes/ESP
diff --git a/refind/global.h b/refind/global.h
index 30de68c..d7a8821 100644
--- a/refind/global.h
+++ b/refind/global.h
@@ -147,6 +147,25 @@
 #define ICON_SIZE_SMALL 1
 #define ICON_SIZE_BIG   2
 
+// The constants related to Apple's System Integrity Protection (SIP)....
+#define CSR_GUID { 0x7c436110, 0xab2a, 0x4bbb, { 0xa8, 0x80, 0xfe, 0x41, 0x99, 0x5c, 0x9f, 0x82 } };
+// These codes are returned in the first byte of the csr-active-config variable
+#define CSR_ALLOW_UNTRUSTED_KEXTS       0x01
+#define CSR_ALLOW_UNRESTRICTED_FS       0x02
+#define CSR_ALLOW_TASK_FOR_PID          0x04
+#define CSR_ALLOW_KERNEL_DEBUGGER       0x08
+#define CSR_ALLOW_APPLE_INTERNAL        0x10
+#define CSR_ALLOW_UNRESTRICTED_DTRACE   0x20
+#define CSR_ALLOW_UNRESTRICTED_NVRAM    0x40
+// Some summaries....
+#define SIP_ENABLED  CSR_ALLOW_APPLE_INTERNAL
+#define SIP_DISABLED (CSR_ALLOW_UNRESTRICTED_NVRAM | \
+                      CSR_ALLOW_UNRESTRICTED_DTRACE | \
+                      CSR_ALLOW_APPLE_INTERNAL | \
+                      CSR_ALLOW_TASK_FOR_PID | \
+                      CSR_ALLOW_UNRESTRICTED_FS | \
+                      CSR_ALLOW_UNTRUSTED_KEXTS)
+
 // Names of binaries that can manage MOKs....
 #define MOK_NAMES               L"MokManager.efi,HashTool.efi,HashTool-signed.efi,KeyTool.efi,KeyTool-signed.efi"
 // Directories to search for these MOK-managing programs. Note that SelfDir is
diff --git a/refind/main.c b/refind/main.c
index dd0fc98..6908169 100644
--- a/refind/main.c
+++ b/refind/main.c
@@ -183,13 +183,26 @@ struct LOADER_LIST {
 // misc functions
 //
 
+static INTN GetCsrStatus(VOID) {
+    CHAR8 *CsrValues;
+    UINTN CsrLength;
+    EFI_GUID CsrGuid = CSR_GUID;
+    EFI_STATUS Status;
+
+    Status = EfivarGetRaw(&CsrGuid, L"csr-active-config", &CsrValues, &CsrLength);
+    if ((Status == EFI_SUCCESS) && (CsrLength == 4))
+        return CsrValues[0];
+    else
+        return -1;
+} // INTN GetCsrStatus()
+
 static VOID AboutrEFInd(VOID)
 {
     CHAR16 *FirmwareVendor;
 
     if (AboutMenu.EntryCount == 0) {
         AboutMenu.TitleImage = BuiltinIcon(BUILTIN_ICON_FUNC_ABOUT);
-        AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.9.2.4");
+        AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.9.2.5");
         AddMenuInfoLine(&AboutMenu, L"");
         AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2006-2010 Christoph Pfisterer");
         AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2012-2015 Roderick W. Smith");
@@ -207,6 +220,18 @@ static VOID AboutrEFInd(VOID)
 #else
         AddMenuInfoLine(&AboutMenu, L" Platform: unknown");
 #endif
+        if (StriSubCmp(L"Apple", ST->FirmwareVendor)) {
+            switch (GetCsrStatus()) {
+                case SIP_ENABLED:
+                    AddMenuInfoLine(&AboutMenu, L" System Integrity Protection is enabled");
+                    break;
+                case SIP_DISABLED:
+                    AddMenuInfoLine(&AboutMenu, L" System Integrity Protection is disabled");
+                    break;
+                default:
+                    AddMenuInfoLine(&AboutMenu, L" System Integrity Protection status is unrecognized");
+            } // switch
+        } // if
         FirmwareVendor = StrDuplicate(ST->FirmwareVendor);
         LimitStringLength(FirmwareVendor, MAX_LINE_LENGTH); // More than ~65 causes empty info page on 800x600 display
         AddMenuInfoLine(&AboutMenu, PoolPrint(L" Firmware: %s %d.%02d", FirmwareVendor, ST->FirmwareRevision >> 16,
-- 
2.39.2