Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow building boxes with SIP disabled #4

Open
bacongravy opened this issue Apr 3, 2018 · 12 comments
Open

Allow building boxes with SIP disabled #4

bacongravy opened this issue Apr 3, 2018 · 12 comments
Labels
enhancement New feature or request

Comments

@bacongravy
Copy link
Owner

Sometimes you need to test or verify something, and SIP gets in your way. It would be useful to be able to quickly spin up a VM with SIP pre-disabled.

The SIP setting is stored in NVRAM, so it may be possible to generate an appropriate .nvram file and drop it into the box at creation time, without having to boot the image at all.
@bacongravy bacongravy added the enhancement New feature or request label Apr 3, 2018
@bacongravy bacongravy mentioned this issue Feb 15, 2019
Closed
@egandro
Copy link
Contributor

egandro commented May 30, 2019

I found this:

https://www.tekrevue.com/tip/mac-vm-boot-recovery-mode-vmware-fusion/

macosguest.forceRecoveryModeInstall = "TRUE"

Boots the VM in OSX Recovery Mode. This opens the door to an elevated terminal.

@egandro
Copy link
Contributor

egandro commented May 30, 2019

So this works. OSX gets into Recovery.

I have a theory - this might be the offset in the nvram that needs to be patched:

< 00002200: 0000 0000 2c3b 0000 61df e48b ca93 d211  ....,;..a.......
---
> 00002200: 0000 0000 463e 0000 61df e48b ca93 d211  ....F>..a.......

The other part I found is about the boot loader.

@KirkMartinez
Copy link

KirkMartinez commented Jun 10, 2019
edited

I have this need as well. Happy to test out any proposed implementations.
I tried hacking my nvram file, but replacing those bytes was not sufficient for "csrutil status" to show "disabled".

@egandro what did you find about the boot loader?

@egandro
Copy link
Contributor

egandro commented Jun 14, 2019
edited

I put a few more hours in this investigating what the "magic bits" are in the NVRAM.

  1. I created a fresh OSX install - backuped the nvram
  2. I bootet into recovery (using the .vmx line for forcing the recovery mode) - i backuped the nvram
  3. I csr'ed via recovery terminal - and i backuped the nvram

Binary diffing 1/2/3 lead into no insigths. I used diff + xxd (from vim - to create a hexdump)

So maybe somebody has a smarter idea then I have.

2nd approach - how does clover do this?

https://github.com/svn2github/cloverefiboot/blob/bb27dc5fc4c85f08375b04f3752d44fdf8c538fa/rEFIt_UEFI/Platform/kext_inject.c

They patch the kexts in memory :(

Unfortunately it's not a simulated nvram...

So this is still open...

@JonHolman
Copy link

Is there a way I can boot my macinbox virtualbox VM into recovery mode? I want to disable SIP to test some things. I see the line above, but I'm not sure where to put that.

@bacongravy
Copy link
Owner Author

@JonHolman Some quick googling indicates that there are a couple of methods that may work to get you into recovery mode with Virtualbox, but I don't have experience with them and can't comment on whether they would be effective.

The macosguest.forceRecoveryModeInstall = "TRUE" setting is for VMware Fusion, not Virtualbox, but I also haven't tested that method, either.

@JonHolman
Copy link

@bacongravy thanks. I'm not sure how to trigger booting into recovery mode with virtualbox, but I ended up creating a Mojave ISO and booted to that and was able to do what I wanted.

@egandro
Copy link
Contributor

egandro commented Jul 19, 2019

The macosguest.forceRecoveryModeInstall = "TRUE" setting is for VMware Fusion, not Virtualbox, but I also haven't tested that method, either.

This works - however - after doing that you can't get the system to boot into non recovery mode... Maybe I am to stupid.

@frankosterfeld
Copy link
Contributor

https://github.com/myspaghetti/macos-virtualbox/blob/master/macos-guest-virtualbox.sh might have a solution for this (search for "csr-active-config"), generating a nvram file and loading it in the EFI boot loader, if I read that code correctly.

frankosterfeld added a commit to frankosterfeld/macinbox that referenced this issue Aug 19, 2020
@frankosterfeld
Add option to disable SIP
41d42b2 
Add option to disable SIP (System Integrity Protection) at boot time.

Currently only supported for virtualbox, so this partially implements
issue bacongravy#4.
frankosterfeld added a commit to frankosterfeld/macinbox that referenced this issue Aug 19, 2020
@frankosterfeld
Add option to disable SIP
6210b42 
Add option to disable SIP (System Integrity Protection) at boot time.

Currently only supported for virtualbox, so this partially implements
issue bacongravy#4.
@frankosterfeld frankosterfeld mentioned this issue Aug 19, 2020
Open
@frankosterfeld
Copy link
Contributor

I've created a pull request, but I can only test virtualbox here, so this needs to be applied for the other providers, too.

@bacongravy
Copy link
Owner Author

@frankosterfeld Thank you for the PR! I haven't had a chance to give it a spin but it looks good. I don't how to replicate this functionality for VMware Fusion or Parallels Desktop, so it may need to be VirtualBox-only for now.

@bacongravy
Copy link
Owner Author

(Specifically, I don't know how to replicate the dmpstore call from startup.nsh for VMware or Parallels.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@KirkMartinez @frankosterfeld @egandro @JonHolman @bacongravy