hoakley June 25, 2020 Macs, Technology

Big Sur’s Signed System Volume: added security protection

The last two major releases of macOS have brought rapid evolution in the protection of their system files. Before explaining what is happening in macOS 11 Big Sur, I’ll recap what has happened so far.

In macOS Mojave 10.14, macOS boots from a single APFS volume, in which sensitive system folders and files are mixed with those which users can write to. The main protections provided to the system come from classical Unix permissions with the addition of System Integrity Protection (SIP), software within macOS.

Mojave2

In Mojave, all malware has to do is exploit a vulnerability in SIP, gain elevated privileges, and it can do pretty well what it likes with system files.

Catalina 10.15 changes that by splitting the boot volume into two: the System and Data volumes, making up an APFS Volume Group. Immutable system files now reside on the System volume, which not only has complete protection by SIP, but is normally mounted read-only.

CatalinaIntegrated152

This makes it far tougher for malware, which not only has to get past SIP but to mount the System volume as writable before it can tamper with system files.

Although Big Sur uses the same protected System volume and APFS Volume Group as Catalina, it changes the way that volume is protected to make it an even greater challenge for those developing malicious software: welcome to the Signed System Volume (SSV).

Every file on Big Sur’s System volume now has a SHA-256 cryptographic hash which is stored in the file system metadata. When data is read from the SSV, its current hash is compared with the stored hash to verify that the file hasn’t been tampered with or damaged. Those familiar with my file integrity tools will recognise that this is essentially the same technique employed by them.

Further hashing is used in the file system metadata itself, from the deepest directories up to the root node, where it’s called the seal. This ensures those hashes cover the entire volume, its data and directory structure. The seal is verified each time your Mac starts up, by the boot loader before the kernel is loaded, and during installation and update of macOS system files. If verification fails, startup is halted and the user prompted to re-install macOS before proceeding.

Updates are also made more reliable through this mechanism: if they can’t be completed, the previous system is restored using its snapshot.

For the great majority of users, all this should be transparent. You install macOS updates just the same, and your Mac starts up just like it used to. You can have complete confidence in Big Sur that nothing has nobbled what’s on your System volume. The only time you’re likely to come up against the SSV is when using bootable macOS volumes by cloning or from a macOS installer. Whatever you use to do that needs to preserve all the hashes and seal, or the volume won’t be bootable. All good cloning software should cope with this just fine.

If you need to install a kernel extension (not one of the newer System Extensions, DriverKit extension, etc.), that is no longer built into the prelinked kernel which is used to boot your system, instead being built into /Library/KernelCollections/AuxiliaryKernelExtensions.kc. As that’s on the writable Data volume, there are no implications for the protection of the SSV. Further details on kernel extensions are here.

What definitely does get much more complex is altering anything on the SSV, because you can’t simply boot your Mac from a ‘live’ System volume any more: that will fail these new checks. Apple has extended the features of the csrutil command to support making changes to the SSV. In outline, you have to boot in Recovery Mode, use the command
csrutil authenticated-root disable
to turn cryptographic verification off, then mount the System volume and perform its modifications. To make that bootable again, you have to bless a new snapshot of the volume using a command such as
sudo bless --folder /[mountpath]/System/Library/CoreServices --bootefi --create-snapshot

You can then restart using the new snapshot as your System volume, and without SSV authentication.

In Catalina, making changes to the System volume isn’t something to embark on without very good reason. In Big Sur, it becomes a last resort.

Further reading

Mojave boot volume layout
Catalina boot volume layout
Apple’s Develop article

Thanks to Damien Sorresso for detailing the process of modifying the SSV, and to @afrojer in their comment below which clarifies what happens with third-party kernel extensions (corrected 1805 25 June 2020).

110Comments

Add yours

1

Duncan on June 25, 2020 at 7:33 am

“Every file on Big Sur’s System volume now has a SHA-256 cryptographic hash which is stored in the file system metadata.”

Intriguing. Am I reading too much into that to think there *might* be hope for Apple supporting general user file integrity at some point in the future?

Also, any details on how/where the hashes are stored? (I imagine you have your hands full this week and next investigating all the big changes, so if you can’t delve into this now that’s certainly understandable.) Thank you.

LikeLike
- 2
  
  hoakley on June 25, 2020 at 3:44 pm
  
  I will look at this shortly, but I have a feeling that the hashes are inaccessible except by macOS.
  I have more to come over changes in file security and protection on Apple Silicon, but there’s nothing I can see about more general use of or access to file hashes, I’m afraid. But I wouldn’t have thought there’d be any fundamental barrier to enabling this on a per-folder basis, if Apple wanted to. I don’t think you’d want to do it on a whole read-write volume, like the Data volume: you can get away with this on the System volume because there’s so little writing involved, so the hashes remain static almost all the time.
  I’ll report back when I’ve had a bit more of a look around it, hopefully later today.
  Howard.
  
  LikeLike
  - 3
    
    Duncan on June 25, 2020 at 5:41 pm
    
    Again, no urgency, given all the other material you’re probably inundated with.
    
    (Also, I’ve scoured all the WWDC reports I could find and haven’t seen any mention of Time Machine in regards to Big Sur. I’m guessing there’s no TM2 on APFS, at least this year. )
    
    LikeLiked by 1 person
    - 4
      
      hoakley on June 25, 2020 at 6:09 pm
      
      Apple hasn’t, as far as I’m aware, made any announcement about changes to Time Machine. However, it very seldom does at WWDC, as that’s not so much a developer thing. I’m sure that we’ll see bug fixes, but whether it will support backups on APFS volumes I rather doubt. But I could be wrong.
      Howard.
      
      LikeLike
5

Jeremy C. Andrus (@afrojer) on June 25, 2020 at 5:05 pm

Loading of kexts in Big Sur does not require a trip into recovery. It just requires a reboot to get the kext loaded.
https://developer.apple.com/documentation/kernel/installing_a_custom_kernel_extension

Custom kexts are linked into a file here: /Library/KernelCollections/AuxiliaryKernelExtensions.kc (which is not on the sealed system volume)
You can checkout the man page for kmutil or kernelmanagerd to learn more 🙂

LikeLiked by 1 person
- 6
  
  hoakley on June 25, 2020 at 6:06 pm
  
  Thank you so much for that: I misread that article! I have now corrected this and my previous article accordingly.
  Howard.
  
  LikeLike
7

MacOS Big Sur 11.0 - Index of Need to Know Changes & Links UPDATED! on June 26, 2020 at 3:39 am

[…] Big Sur’s Signed System Volume: added security protection – eclecticlight.co/2020/06/25/big-surs-signed-system-volume-added-security-protection/ […]

LikeLike
8

John Gilbert on June 26, 2020 at 4:26 am

Howard, Have you seen that the new APFS reference https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf has a section on Sealed Volumes? The detail in the document is a bit beyond me!

LikeLiked by 1 person
- 9
  
  hoakley on June 26, 2020 at 12:29 pm
  
  Thank you.
  It looks like the hashes are going to be inaccessible. You can also only ‘seal’ a System volume in an APFS Volume Group, so I don’t think Apple wants us using its hashes to check integrity. For now.
  Howard.
  
  LikeLike
10

macOS 11 Big Sur bezpieczniejszy: pliki systemowe podpisane - Mój Mac on June 26, 2020 at 1:45 pm

[…] piszę Howard Oakley w swoim blogu Eclectic Light […]

LikeLike
11

Duncan on June 27, 2020 at 3:56 pm

Apparently you can now use an APFS-formatted drive with Time Machine in Big Sur:

https://appleinsider.com/articles/20/06/27/apfs-changes-affect-time-machine-in-macos-big-sur-encrypted-drives-in-ios-14

“Under Big Sur, users will be able to back up directly to an APFS-formatted drive, eliminating the need to reformat any disks.”

Assuming Apple doesn’t remove that functionality before release then that implies more efficient (and hopefully more reliable) TM backups.

LikeLiked by 1 person
- 12
  
  hoakley on June 27, 2020 at 10:47 pm
  
  Thank you – yes, we’ve been discussing this with another posting. I’ve written a more detailed account for publication here on Monday morning.
  Howard.
  
  LikeLike
13

Duncan on June 27, 2020 at 4:45 pm

Incidentally, I just checked prices on an external 1 TB SSD and they can be had for under $150 US. I imagine they’ll break below $100 within the next year. So I think the time is right for APFS-based Time Machine, based on the availability of reasonably-priced hardware for most users to support it.

LikeLiked by 1 person
- 14
  
  hoakley on June 27, 2020 at 10:48 pm
  
  I hope so – I ended up paying an arm and a leg for 4 x 2 TB SSDs for my backups, plus the case.
  Howard.
  
  LikeLike
15

mlch911 on June 28, 2020 at 3:05 am

You missed letter “d” in “csrutil authenticate-root disable”.
It’s “authenticated”.

LikeLiked by 1 person
- 16
  
  hoakley on June 28, 2020 at 5:54 am
  
  Thank you – I have corrected that now.
  Howard.
  
  LikeLike
17

Jack on June 28, 2020 at 5:21 pm

So, if I wanted to change system icons, how would I go about doing that on Big Sur?

I’m assuming the steps are:

1. disable authenticated root
2. bless
3. boot into OS
4. mount the read-only system volume
5. change icons
6. undo everything and enable authenticated root again

Unfortunately I can’t get past step 1; it tells me that “authenticated root” is an invalid command in recovery.

LikeLiked by 1 person
- 18
  
  hoakley on June 28, 2020 at 5:45 pm
  
  Short answer: you really don’t want to do that in Big Sur.
  Longer answer: the command has a hyphen as given above. I haven’t tried this myself, but the sequence might be something like –
  restart in Recovery Mode
  csrutil authenticated-root disable to disable crypto verification
  mount the System volume for writing
  modify the icons
  sudo bless --folder /[mountpath]/System/Library/CoreServices --bootefi --create-snapshot to create the new snapshot and bless it
  restart in normal mode, if you’re lucky and everything worked.
  That leaves your System volume without cryptographic verification, of course, and whether it will then successfully update in future must be an open question. If it is updated, your changes will then be blown away, and you’ll have to repeat the process.
  I think I’d stick with the default icons!
  Howard.
  
  LikeLike
  - 19
    
    Jack on June 28, 2020 at 8:44 pm
    
    Thanks for the reply! Would it really be an issue to stay without cryptographic verification though? Since I’m the only one making changes to the filesystem (and, of course, I am not installing any malware manually), wouldn’t I be able to fully trust the changes that I made? Additionally, before I update I could always revert back to the previous snapshot (from what I can tell, the original snapshot is always kept as a backup in case anything goes wrong). And afterwards, you can always make the partition read-only again, right? So from a security standpoint, it’s just as safe as before?
    
    LikeLiked by 1 person
    - 20
      
      hoakley on June 28, 2020 at 9:19 pm
      
      Well, it’s entirely up to you, but the prospect of repeating this seven or eight times (or more) during the beta phase, then again for the release version, would be a deterrent to me!
      From a security standpoint, you’re removing part of the primary protection which macOS 11 provides to its system files, when you turn this off – that’s why Apple has implemented it, to improve on the protection in 10.15. But that too is your decision.
      Howard.
      
      LikeLike
  - 21
    
    John on June 29, 2020 at 5:27 pm
    
    I have a screen that needs an EDID override to function correctly. The file resides in /[mountpath]/Library/Displays/Contents/Resources/Overrides therefore — for Catalina — I used Recovery Mode to edit those files. Am I out of luck in the future?
    
    LikeLiked by 1 person
    - 22
      
      hoakley on June 29, 2020 at 5:42 pm
      
      No, but you might like to look for a replacement!
      That’s a path to the System volume, and you will be able to add your override. I suspect that you’ll have to repeat that for each update to macOS 11, though, as it’s likely to get wiped out during the update process.
      I wish you success with it.
      Howard.
      
      LikeLike
  - 23
    
    Alden on September 12, 2020 at 1:09 pm
    
    Hey I’m trying to create the new snapshot because my Mac Pro (Mid 2014) has the issue where it randomly shutdown because of an issue with the “AppleThunderboltNHI.kext” found in /Volumes/Macintosh\ HD/System/Library/Extensions. In Catalina you could easily move the “AppleThunderboltNHI.kext” to a new folder and it worked fine, but with the Big Sur beta you can’t do that. I’m trying to implement the snapshot but you can’t run the “sudo bless –folder /Volumes/Macintosh\ HD/System/Library/CoreServices –bootefi –create-snapshot” in Recovery mode because sudo command is not available in recovery mode. Please how do I fix this?
    
    LikeLiked by 1 person
    - 24
      
      hoakley on September 12, 2020 at 2:12 pm
      
      I’m sorry, I don’t know. That’s the command given with early betas – it may have changed now.
      Howard.
      
      LikeLike
25

RobyRew on June 28, 2020 at 6:13 pm

Here what exactly i put?
“[mountpath]”

LikeLiked by 1 person
26

macOS 11.0 Big Surの署名済みシステム・ボリュームはセキュリティ保護を強化 | 酔いどれオヤジのブログwp on June 28, 2020 at 10:48 pm

[…] (Via The Eclectic Light Company .) […]

LikeLike
27

bwillius on July 6, 2020 at 2:06 pm

Why is kernelmanagerd using between 15 and 55% of my CPU on BS? My MacBook Air is also freezing every day or 2. The MacBook has never done that on Crapolina.

LikeLiked by 1 person
- 28
  
  hoakley on July 6, 2020 at 2:23 pm
  
  I’m sorry, I don’t know. Have you reported it to Apple?
  Howard.
  
  LikeLike
29

Cameron on July 10, 2020 at 1:53 am

If you were to make and bless your own snapshot to boot from, essentially disabling SSV from my understanding, is all of SIP then disabled on that snapshot or just SSV? Can you re-enable the other parts of SIP that do not revolve around the cryptographic hashes? It would seem silly to me to make all of SIP hinge on SSV.

SIP I understand is hugely important, and I would not dream of leaving it disabled, but SSV seems overkill for my use.

I also read somewhere that you could only disable SSV with FireVault off, but that definitely needs to stay on.

I essentially want to know how many levels of protection you can retain after making a change to the System folder if that helps clear it up.

Thanks,
Cameron.

LikeLiked by 1 person
- 30
  
  hoakley on July 10, 2020 at 10:32 pm
  
  I’m sorry – I don’t know. These are very early days with the SSV, and I think we’ll learn the rules and wrinkles in the coming weeks.
  Howard.
  
  LikeLike
31

Costas Kalantzopoulos on July 10, 2020 at 7:57 am

I’ve seen many posts and comments with people struggling to bypass both Catalina’s and Big Sur’s security to install an EDID override in order to force the OS recognise their screens as RGB. Guys, there’s no need to enter Recovery Mode and disable SIP or anything. Simply create a folder structure /Library/Displays/Contents/Resources/Overrides and copy there your folder with the patched EDID override file you have created for your screen (DisplayVendorID-XXXX/DisplayProductID-XXXX). Then reboot. It is that simple

LikeLiked by 1 person
- 32
  
  hoakley on July 10, 2020 at 10:34 pm
  
  Thank you – hopefully that will solve the problems.
  Howard.
  
  LikeLike
33

附錄三、問題排除 - OpenCore詳細教學 on July 16, 2020 at 9:47 pm

[…] FF0F0000-禁用macOS Big Sur（0xfff）中的所有標誌，該標誌具有用於身份驗證的root的另一個新標誌。 […]

LikeLike
34

Rick Mark on August 19, 2020 at 5:40 am

Found where the merkle tree is stored in img4 files: This is Big Sur Beta 4’s mtree = https://github.com/rickmark/mojo_thor/blob/master/SSV/mtree.i.txt

LikeLiked by 1 person
35

rickkmark on August 19, 2020 at 5:42 am

Looks like the mtree and root_hash are stored in im4p (img4 payload) files in the preboot volume. The merkle tree is a gzip compressed text file, and Big Sur beta 4 is here: https://github.com/rickmark/mojo_thor/blob/master/SSV/mtree.i.txt

LikeLiked by 1 person
- 36
  
  hoakley on August 19, 2020 at 8:05 am
  
  Thank you, and congratulations.
  That’s quite a large tree!
  Howard.
  
  LikeLike
37

Michael Tsai - Blog - APFS and Time Machine in Big Sur on September 30, 2020 at 8:22 pm

[…] APFS in macOS 11 changes volume roles substantially. The System volume within a boot Volume Group is now sealed using a tree of cryptographic hashes, as I have detailed here. […]

LikeLike
38

Markbot 2.0 on November 10, 2020 at 9:54 pm

I seem to recall that back in the olden days of Unix, there was an IDS (“Intrusion Detection System”) called “Tripwire” which stored a checksum for every system file and watched over them like a hawk. SSV seems to be an evolution of that, similar in concept (if not of execution), sort of Tripwire on steroids. I’d be interested to hear some old Unix hands commenting on the similarities or differences.

Incidentally, I am in total sympathy with the person who wants to change the icons of native apps. For years I reflexively replaced the Mail app’s unappealing postage stamp icon with a simple, old-fashioned, eye-catching mailbox — it just seemed to make visual sense to me — but with all the security baked into recent incarnations of macOS, I would never attempt that now.

At some point you just gotta learn to stop tinkering and let “the system” be.

-Mark

P.S. Come to think of it Howard, half the fun of using your utilities is that — well, they’re fun. We tinkerers get to tinker with them (without doing harm we hope — always helps to read the READ MEs!) and they illuminate the many otherwise obscure and hidden corners of macOS. So much to learn. Major thank you! 🙂

LikeLiked by 1 person
- 39
  
  hoakley on November 10, 2020 at 10:21 pm
  
  Thank you.
  Yes, I remember Tripwire, and think that at one time I used it.
  The SSV is very different in structure, because it’s like a Merkle tree. Individual files have hashes, then those hashes have hashes, and so on up in a pyramid to reach the single master Seal at the top. This saves having to keep scanning all the individual files in order to detect any change.
  I don’t think it’s novel by any means, but extremely ingenious, and I haven’t heard of its use in any other OS to protect the system files.
  Howard.
  
  LikeLike
40

macOS 11 Big Sur Arrives Thursday, Delay Upgrades - TidBITS on November 10, 2020 at 11:30 pm

[…] those beta issues, changes in Big Sur’s security scheme for the System volume may cause headaches for some users—if nothing else, reverting to Catalina will require […]

LikeLike
41

hstriepe on November 11, 2020 at 12:18 am

Late reply rescanning this post: running with “csrutil authenticated-root disable” does not prevent you from enabling SIP later.

LikeLiked by 1 person
- 42
  
  hoakley on November 11, 2020 at 9:09 am
  
  Sure. But what you can’t do is re-seal the SSV, which is the whole point of Big Sur’s improved security. For some, running unsealed will be necessary, but the great majority of users shouldn’t even consider it as an option.
  Howard.
  
  LikeLike
  - 43
    
    Cameron on November 13, 2020 at 6:45 pm
    
    Does running unsealed prevent you from having FileVault enabled?
    
    LikeLiked by 1 person
    - 44
      
      hstriepe on November 13, 2020 at 7:00 pm
      
      Since FileVault2 is handled for the whole container using the T2 I suspect, it will still work.
      
      LikeLiked by 1 person
    - 45
      
      hoakley on November 13, 2020 at 7:04 pm
      
      It shouldn’t make any difference. Sealing is about System integrity. Full disk encryption is about both security and privacy of your boot disk.
      Howard
      
      LikeLike
  - 46
    
    Cameron on November 13, 2020 at 9:29 pm
    
    Disabling SSV requires that you disable FileVault. I’ve installed Big Sur on a test volume and I’ve booted into recovery to run ‘csrutil authenticated-root disable’ but it seems that FileVault needs to be disabled on original Macintosh HD as well, which I find strange.
    
    LikeLiked by 1 person
    - 47
      
      hoakley on November 13, 2020 at 9:34 pm
      
      Is that with 11.0.1 release? That seems like a bug, or at least an engineering mistake.
      Howard.
      
      LikeLike
  - 48
    
    Cameron on November 13, 2020 at 9:43 pm
    
    Yes, terminal in recovery mode shows 11.0.1, the same version as my “Big Sur Test” volume which I had as the boot drive.
    
    LikeLiked by 1 person
    - 49
      
      hoakley on November 13, 2020 at 10:11 pm
      
      Thanks.
      So having removed the seal, could you not re-encrypt the disks?
      Howard.
      
      LikeLike
  - 50
    
    Cameron on November 14, 2020 at 12:07 am
    
    Here are my observations:
    
    Re-enabling FileVault on a different partition has no effect
    
    Trying to enable FileVault on the snapshot fails with an “internal error”
    
    Enabling csrutil also enables csrutil authenticated-root
    
    The snapshot fails to boot with either csrutil or csrutil authenticated-root enabled
    
    So it seems it is impossible to have an encrypted volume when SSV is disabled, which really does seem like a mistake to me, but who am I to say. So the choices are no protection or all the protection with no in between that I can find.
    
    LikeLiked by 1 person
    - 51
      
      hoakley on November 14, 2020 at 12:12 am
      
      I don’t think you can enable FileVault on a snapshot: it’s a whole volume encryption surely.
      Howard
      
      LikeLike
    - 52
      
      hstriepe on November 14, 2020 at 12:14 am
      
      Encryption should be in a Volume Group. But he knows the vagaries of Apple.
      
      LikeLiked by 1 person
    - 53
      
      hoakley on November 14, 2020 at 12:29 am
      
      Not necessarily a volume group: a VG encrypts as a group, but volumes not in a group can of course be encrypted individually.
      Howard
      
      LikeLike
  - 54
    
    Cameron on November 14, 2020 at 12:17 am
    
    Yeah, my bad, that’s probably what I meant. I booted using the volume containing the snapshot (“Big Sur Test” for me) and tried enabling FIleVault which failed.
    
    LikeLiked by 1 person
    - 55
      
      hoakley on November 14, 2020 at 12:32 am
      
      I think this needs more testing, ideally on an internal disk. Maybe when my M1 Macs arrive.
      Howard
      
      LikeLike
  - 56
    
    nathanaelruf on November 14, 2020 at 4:34 pm
    
    Hi,
    
    I am trying to do the same thing (have SSV disables but have FileVault enabled). My machine is a 2019 MacBook Pro 15″. Disabling SSV on the internal disk worked, but FileVault can’t be reenabled as it seems. I am getting “FileVault Failed \n An internal error has occurred.”
    
    csrutil enable prevents booting. If anyone finds a way to enable FileVault while having SSV disables please let me know.
    
    LikeLiked by 1 person
    - 57
      
      hoakley on November 14, 2020 at 5:24 pm
      
      Have you reported it to Apple as a bug?
      Howard.
      
      LikeLike
58

Big Sur Is Here, But We Suggest You Say “No Sir” for Now - TidBITS on November 13, 2020 at 9:20 pm

[…] Big Sur further secures the System volume by applying a cryptographic hash to every file on it, as Howard Oakley explains. That makes it incredibly difficult for an attacker to hijack your Big Sur install, but it has […]

LikeLike
59

Quint on November 16, 2020 at 9:44 am

Hi,

I installed Big Sur last Tuesday when it got released to the public but I ran into a problem.
In Mojave and Catalina I used to be able to remove the preinstalled apps from Apple by disabling system protection in system recovery and then in Terminal mounting the volume but in Big Sur I found that this isn’t working anymore since I ran into an error when trying to mount the volume in Terminal.
Do you guys know how this can still be done so I can remove those unwanted apps ? 🙂

LikeLiked by 1 person
- 60
  
  hoakley on November 16, 2020 at 9:53 am
  
  Thank you.
  Trust me: you really don’t want to do this in Big Sur. As explained above, in order to do this you have to break the seal on the System volume. You can’t then reseal it. Ever.
  Furthermore, users are reporting that before you can do that, you have to disable FileVault, and it doesn’t appear that you can re-enable that either.
  If you really want to do that, then the basic requirements are outlined above, but you’re out almost on your own in doing it, and will have lost two of your two major security protections. I wish you the very best of luck – you’ll need it!
  Howard.
  
  LikeLike
  - 61
    
    Quint on November 16, 2020 at 10:25 am
    
    Hi Howard,
    
    Thanks for your reply.
    I figured as much that Apple would end that possibility eventually and now they have.
    Still a sad day but I have ditched Big Sur…..I have reinstalled Catalina again and enjoy that for the time being.
    I really dislike Apple for adding apps which I can’t remove and some of them I can’t even use (like FaceTime / Siri on a Mac mini) Oh well I’ll see what happens when the European Commission has made a choice by forcing Apple to stop pre-installing apps on their IOS devices….maybe they’ll add macOS as well.
    
    Thanks again for the fast reply Howard !
    
    LikeLiked by 1 person
    - 62
      
      hoakley on November 16, 2020 at 6:20 pm
      
      Sorry about that.
      I must admit I don’t see the logic: Apple also provides multi-language support. Would you want most of that removed simply because you don’t use it? There’s nothing to force you to use Japanese, any more than there is with Siri, which I never use either.
      There is a real problem with sealing the System volume though, as the seal is checked against that for the system install. Apple can’t provide thousands of different seal values to cater for every possible combination of change system installations.
      Howard.
      
      LikeLike
63

Conor on November 16, 2020 at 11:48 pm

Hoakley, Thanks for this! and thanks to all the commenters! I’ve been running a Vega FE as eGPU with my macbook pro. It requires a modified kext for the fans to spin up properly. I was able to do this under Catalina with csrutil disable, and sudo mount -uw/ but as your article indicates this no longer works with Big Sur. I’m a bit of a noob with all this, but could you clarify, would I need to install the kext using terminal in recovery mode? Or could I do it after blessing the snapshot and restarting normally? Thanks for anyone who could point me in the right direction! 🙏🏻

LikeLiked by 1 person
- 64
  
  hoakley on November 17, 2020 at 12:30 am
  
  Very few people have experience of doing this with Big Sur. Have you contacted the support desk for your eGPU?
  Tampering with the SSV is a serious undertaking and not only breaks the seal – which can never then be resealed – but it appears to conflict with FileVault encryption too.
  Normally, you should be able to install a recent kext in the Finder. If that can’t be done, then you may be better off remaining in Catalina for the time being.
  Howard.
  
  LikeLike
  - 65
    
    hstriepe on November 17, 2020 at 1:56 am
    
    This thread has a lot of useful info for supporting the older Mac no longer supported by Big Sur.
    
    https://forums.macrumors.com/threads/macos-11-big-sur-on-unsupported-macs-thread.2242172/page-264
    
    There is a big-sur-micropatcher that makes unlocking and patching easy here:
    https://github.com/barrykn/big-sur-micropatcher
    
    LikeLiked by 1 person
    - 66
      
      hoakley on November 17, 2020 at 1:49 pm
      
      Thank you.
      Thankfully, with recent Macs I don’t have to engaged in all that fragile tinkering.
      Each to their own…
      Howard.
      
      LikeLike
  - 67
    
    hstriepe on November 17, 2020 at 5:50 pm
    
    @hoakley With each release cycle I think that the days of my trusty Mac Pro 5,1 are done. But with its dual 3.06Ghz Xeons providing 12 cores, 48GB of ECC RAM, 40TB of HDD, 4TB of SSD, and 2TB of NVME disks all displayed via a flashed RX-580 on a big, wide screen, it is really hard to find something better. I use it for my (now part time) work as CTO. Running multiple VMs is a cinch on this beast.
    It is dead quiet and has been “just there” for eight years. With an upgraded BLE/WiFi watch unlock works. It sleeps and does everything I need.
    My “fully equipped” MacBook Pro 2018 never quite measured up.IN fact, I still use an old 11″ MacBook Air mid 2011 with upgraded disk and BLE for portable productivity not satisfied with an iPad.
    But I fathom that the M1 MacBook Pro arriving later this week might give it all a run for the money. My wife’s Air is in today and I will have to “take a couple of days to make sure it works.”
    She has no patience for tech or fiddling.
    BTW, I thought that I would not be able to get it past Catalalina, but Big Sur is running nicely. I do have to ditch authenticated root to enable the continuity flag for my MB, but that’s it. OS upgrades are also a bit of a pain, but I have automated most of the hassle so it’s just a bit longer in the trundling phase with a couple of extra steps.
    
    LikeLiked by 1 person
    - 68
      
      hoakley on November 17, 2020 at 8:40 pm
      
      I wish you fun with the M1.
      Howard.
      
      LikeLike
69

tansharma on November 17, 2020 at 5:37 pm

Am I right in thinking that once you disable authenticated-root, you cannot enable it if you’ve made changes to the system volume? I’m hoping I don’t have to do this at all, but it might become an issue for some of our machines should users upgrade despite our warning(s).

LikeLiked by 1 person
- 70
  
  hstriepe on November 17, 2020 at 5:40 pm
  
  Yes. It effectively bumps you back to Catalina security levels.
  
  LikeLiked by 1 person
- 71
  
  hoakley on November 17, 2020 at 8:36 pm
  
  Thank you. Yes, unsealing the SSV is a one-way street. There’s no way to re-seal an unsealed System.
  However, even an unsealed Big Sur system is more secure than that in Catalina, as it’s actually a mounted snapshot, and not even the System volume itself.
  You probably won’t be able to install a delta update and expect that to reseal the system either. However, you can always install the new version of Big Sur and leave it sealed. I also expect that you will be able to install a delta update to an unsealed system, leaving it updated but unsealed.
  One unexpected problem with unsealing at present is that FileVault has to be disabled, and can’t be enabled afterwards.
  All these we will no doubt discover very soon.
  Howard.
  
  LikeLike
72

tansharma on November 17, 2020 at 5:44 pm

Thank you. Here’s hoping I don’t have to deal with that mess. Sounds like you’d also be stuck on the same version of Big Sur if the delta updates aren’t able to verify the cryptographic information.

LikeLiked by 1 person
73

JP on November 28, 2020 at 5:43 pm

Would this have anything to do with the fact that I can’t seem to install Big Sur to an APFS-encrypted volume like I did with Catalina?

LikeLiked by 1 person
- 74
  
  hoakley on November 28, 2020 at 6:13 pm
  
  I’m sorry, although I’ve upgraded two T2 Macs, both were on the internal SSD which is encrypted anyway, and not APFS encrypted. Hopefully someone else will be able to answer that.
  Howard.
  
  LikeLike
  - 75
    
    JP on November 28, 2020 at 8:01 pm
    
    Could you elaborate on the internal SSD being encrypted anyway?
    
    LikeLiked by 1 person
    - 76
      
      hoakley on November 28, 2020 at 8:04 pm
      
      In T2 Macs, their internal SSD is encrypted. Always. It’s not the encrypted APFS that you would use on external storage, but implemented in the T2 as disk controller. The only choice you have is whether to add your own password to strengthen its encryption. That isn’t the case on Macs without a T2 chip, though, where you have to opt to turn FileVault on or off.
      Howard.
      
      LikeLike
  - 77
    
    JP on November 28, 2020 at 8:30 pm
    
    It had not occurred to me that T2 encrypts the internal SSD by default. I have a 2020 MacBook Pro, and with Catalina, I formatted the internal SSD to APFS-encrypted, then I installed macOS, and then I also enabled FileVault. (This did required an extra password at boot, but I didn’t mind that). Big Sur, however, will not allow me to install to an APFS-encrypted volume on the internal SSD, even after unlocking said volume, so it’s unclear whether that’s a bug or design choice. That said, would you describe installing macOS the way I did with Catalina as redundant if my Mac has a T2 chip?
    
    LikeLiked by 1 person
    - 78
      
      hoakley on November 28, 2020 at 8:37 pm
      
      Yes, completely. All you need do on a T2 Mac is turn FileVault on for the boot disk. There’s no encryption stage – it’s already encrypted. And your password is then added security for that encryption. It’s free, and the encryption-decryption handled automatically by the T2.
      Howard.
      
      LikeLike
79

John GilbertJohn Gilbert on November 28, 2020 at 11:34 pm

@JP, You say:
” I have a 2020 MacBook Pro, and with Catalina, I formatted the internal SSD to APFS-encrypted, then I installed macOS, and then I also enabled FileVault.”

Even with a non-T2 chip Mac, this was not the correct/sufficient way to encrypt the boot disk. All that needed to be done was to install Catalina to an unencrypted disk (the default) and, after installation, enable FileVault in System Preferences. This allows the boot disk to be unlocked at login with your password and, in emergency, to be unlocked with a 24 character recovery code.

So it did not (and does not) matter whether you have T2 or not. Don’t do anything about encryption at installation, just enable FileVault afterwards. The only difference is that with a non-T2 Mac the encryption will be done behind the scenes after enabling FileVault.

LikeLiked by 1 person
- 80
  
  hoakley on November 29, 2020 at 7:37 pm
  
  Thank you – yes, that’s absolutely correct. Encrypted APFS volumes are intended for general storage purposes, not for boot volumes.
  Howard.
  
  LikeLike
81

Сергей Бард on December 1, 2020 at 7:45 pm

But why the user is not able to re-seal the modified volume again?
I mean the hierarchy of hashes is being compared to some reference kept somewhere on the same state, right? ( SSD/NVRAM )
So when the system is sealed by default it has original binary image that is bit-to-bit equal to the reference seal kept somewhere in the system.
When a user unseals the volume, edit files, the hash hierarchy should be re-hashed and the seal should to be accepted (effectively overwritng the (old) reference)
This workflow is very logical. Its my computer and my responsibility to trust my own modifications. Why I am not able to reseal the volume? after all SSV is just a TOOL for me, to be sure about the volume integrity.
I’d like to modify the volume, get rid of some processes who bypasses the firewalls (like Little Snitch – read their blog!) and seal it again. But no… apple did horrible job and didn’t make this tool available for the end user. Personal Computers move to the horrible iPhone model gradually where I cannot modify my private owned hardware on my own…

LikeLiked by 1 person
- 82
  
  hoakley on December 1, 2020 at 7:55 pm
  
  Thank you.
  Of course you can modify the system as much as you like. But Apple puts that seal there to warrant that it’s intact in accordance with Apple’s criteria. Thus no user can re-seal a system, only an Apple installer/updater, or its asr tool working from a sealed clone of the system.
  What you are proposing – making modifications to the system – cannot result in the seal matching that specified by Apple. So whose seal could that modified version of the system be compared against? If it’s a seal of your own, then that’s a vulnerability, because malicious software could then do exactly the same, modify the system and reseal it.
  If you choose to modify the system, you can’t reseal that, but you can run Big Sur perfectly well without a seal. In doing so, you make that choice to go without that security measure. Who’s stopping you from doing that? Certainly not Apple.
  Howard.
  
  LikeLike
83

PlutoHad (@HadPluto) on December 11, 2020 at 10:55 am

Howard – this is great writing and answer to the question I searched for days ever since I got my M1 Mac.

What is left unclear to me as a basic user: if 1) SSV disabling tampers some hardware change to prevent signing ever again on that maching or 2) SSV can be re-enabled by reinstallation of the MacOS Big Sur.

Hoping that option 2 is what we are looking at.

LikeLiked by 1 person
- 84
  
  hoakley on December 11, 2020 at 1:29 pm
  
  Thank you.
  Although I haven’t tried it myself yet, my understanding is that disabling the seal doesn’t prevent sealing any fresh installation of macOS at a later date. I suspect that quite a few are already doing that, and I know of no reports of problems. One thing to note is that breaking the seal in this way seems to disable Apple’s FairPlay DRM, so you can’t access anything protected with that until you have restored a sealed system.
  Reinstallation is then supposed to restore a sealed system again. I’d be inclined to perform a full restore using Configurator 2, which seems daunting but is actually very quick, less than 10 minutes. Once you’ve done it once, it’s not so bad at all.
  Howard.
  
  LikeLike
  - 85
    
    PlutoHad (@HadPluto) on December 18, 2020 at 2:48 pm
    
    Just reporting a finding from today that disabling SIP speeds-up launching of apps 2-3 times – versus SIP enabled!!!
    
    Post was described on Reddit and I literally tried it now and am shocked.
    Its very visible esp after the boot.
    
    I understand the need for SIP, but its hard to swallow this if it has performance impact even on M1…
    
    LikeLiked by 1 person
    - 86
      
      hoakley on December 18, 2020 at 4:54 pm
      
      Thank you.
      SIP is about much more than SIP, of course, and when you disable it, you cripple your platform security.
      I think you’ll find that if you turn off or disable all macOS platform security, starting an app will get even faster, and malware will also load much more quickly too.
      Every security measure has its penalties. It’s up to the user to strike the balance. As I don’t spend all day opening apps, that overhead is vanishingly small for me, and the benefits very much greater. Your mileage may differ.
      Howard.
      
      LikeLike
87

PlutoHad (@HadPluto) on December 18, 2020 at 5:34 pm

Thanks Howard, agree with you comments.

In the same time – calling for a SIP performance “fix” that could help it run more efficiently…

When we all start calling SIP its real name – antivirus/antimalvare and not just blocker of accessing certain system folders – we can acknowledge performance hit…

But then again we have faster and slower antiviruses..

LikeLiked by 1 person
- 88
  
  hoakley on December 18, 2020 at 11:21 pm
  
  Looking at the logs frequently, as I tend to do, there are plenty of inefficiencies apparent, but not in SIP and its related processes, oddly. For example, when you open an app without a quarantine flag, several different parts of the security and privacy system perform checks on its signature. Each runs the same test, and gets the same results, and it always puzzles me why several identical checks can’t be combined into one, with each of those processes accessing the same result. I’m sure there are good reasons why it can’t be as simple, but it’s hardly efficient.
  Howard.
  
  LikeLike
89

Peter on January 1, 2021 at 5:09 pm

Hello, you say that you can work fine with an unsealed volume, but I also see that for example, breaking the seal prevents you from turning FileVault ON. Maybe I am wrong ? – and how about updates ?

There are a lot of things (privacy related) that requires you to modify the system partition …
(ex: /System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist)

Just yesterday I had to modify “var/db/com.apple.xpc.launchd/disabled.501.plist” because if you unload something, it gets written to that file and stays there forever, even if the app/agent/daemon is no longer present – that is a trace you may not want someone to find.

LikeLiked by 1 person
- 90
  
  hoakley on January 1, 2021 at 5:36 pm
  
  Thank you.
  I didn’t know about FileVault, although in a T2 or M1 Mac the internal disk should still be encrypted as normal. It is well-known that you won’t be able to use anything which relies on FairPlay DRM.
  Of course, when an update is released, this all falls apart. I suspect that you’d need to use the full installer for the new version, then unseal that again.
  If you really feel the need or compulsion to modify files on the System volume, then perhaps you’d be better sticking with Catalina? Big Sur really isn’t intended to be used unsealed, which in any case breaks one of its major improvements in security.
  Howard.
  
  LikeLike
  - 91
    
    Peter on January 1, 2021 at 5:56 pm
    
    Well, would gladly use Catalina but there are so many bugs and the 16″ MacBook Pro can’t do Mojave (which would be perfect) since it is not supported 😦
    
    So use buggy Catalina or BigBrother privacy broken Big Sur – great options..
    
    EU needs a OS desperately!
    
    By the way, I saw about macs with T2 always encrypted stuff, just never tested – like if there is no password set (via FileVault enabled by user), then it works like a bitlocker Windows disk on a laptop with TPM ?
    
    LikeLiked by 1 person
    - 92
      
      hoakley on January 1, 2021 at 10:22 pm
      
      Thank you.
      I’d be interested to know in what respect you consider those or other parts of Big Sur break privacy.
      If you wanted to run Mojave on your MBP, you only have to install Catalina and run it in a VM, which would surely give you even better protection.
      I don’t know about Windows, but the base setting for T2 Macs is that most of the contents of the internal storage is permanently encrypted using keys in the Secure Enclave of the T2. Enabling FileVault doesn’t actually change the encryption, but restricts access to those keys. It’s a neat system.
      Howard.
      
      LikeLike
93

Peter on January 1, 2021 at 10:39 pm

Hi,
Well, I though the entire internet knows by now, but you can read about it here:
https://arstechnica.com/gadgets/2020/11/apple-lets-some-big-sur-network-traffic-bypass-firewalls/

I like things to run fast, really fast, so using VM’s is not an option (I use them for testing).

The thing is, encrypting or making the /System read-only does not prevent malware, rogue apps or privacy invading programs. There is no more a kid in the basement making viruses to wipe your precious pictures. There were apps (some that I unfortunately used), from the App Store, that leaked sensitive information.

Anyway, people need to learn, tot to become dumber thinking someone else has their back and they can stay dumb. I input the root password, well, I should be able to do whatever I want, wipe the disk or whatever.

I’m not fan of any OS (I use them all because I have to) but Privacy should always come first, no mater the price!.

By the way, T2 is now officially broken without the possibility of an Apple patch 😦
Best regards.

LikeLiked by 1 person
- 94
  
  hoakley on January 1, 2021 at 11:45 pm
  
  Thank you.
  Ah, that’s old news, thank you, and not even Patrick’s original article.
  I’m rather surprised that your risk assessment concluded that it was worth disabling Big Sur’s primary system protection in order to address that, but each to their own.
  Of course there were and are apps in the App Store which exfiltrate (not just leak, which implies it’s accidental) sensitive information, but that’s totally different. You get to choose which apps you use; you don’t get to choose what malware can attack, and putting privacy above security seems eccentric to say the least. One of the fundamental requirements for the effective protection of private information is a high level of security. Without in-depth and robust security, efforts to achieve privacy are doomed.
  Increased protection for the system is an essential step in securing macOS. And putting it out of reach of anyone able to obtain root is a major improvement. If you can do anything with the system, then so can an attacker. And when your system is compromised, what value was there in trying to stop Apple getting private data in the first place?
  Yes, I’m fully aware of the vulnerability of the T2, thank you. It’s a good thing that I’ve invested in two M1 Macs, and that the T2 was only a temporary measure along the way.
  Howard.
  
  LikeLike
95

Peter on January 2, 2021 at 4:17 pm

Well, privacy goes hand in hand with security, but should always be above, like any form of freedom.
You may be fortunate to live in Y country that has X laws at the moment – not all are in the same boat.

Tell a Syrian gay dude what is more important for him, some malware wiping his disk full of pictures and some docs or the websites visited and Messages sent to gay people – he will be arrested and even executed.

You have to assume responsibility, like everywhere in life. You drink and drive, well, you go to prison.
You like where iOS is? A walled garden where a big boss decides the rules. I don’t.

You have to teach kids in school about sex education, the risks, etc. not give them a chastity belt.
This is a long and non technical debate anyway 🙂

I keep a macbook for 8years, and I just got a 16″ MBP with a T2 – it was 3750 EUR in a country where the average salary is 488eur. So yes, I have to stick with it for a long time now, knowing it is not secure (and never will be), to make it “more” secure I have to sacrifice privacy, and it will look like my phone lol.

Apple keeps telling us how important privacy is for them, and then they whitelist their apps so they have unrestricted access to internet. Just great.

LikeLike
- 96
  
  hoakley on January 2, 2021 at 8:00 pm
  
  Thank you.
  Putting privacy as more important than security is like building a house with no foundations. In your specific example, what does that person do when their Mac/device is hacked by state security then? For without ensuring rock-solid security as the basis for protecting privacy, it becomes all too easy to bypass everything.
  A good example is OCSP revocation checking, which many people got very upset about. Without it, it’s all too easy for you to run software which is signed with a certificate which Apple has revoked, but your Mac has no means to check that. So for a tiny (if that) loss of privacy, you get a strong security protection. Block OCSP, and you’re vulnerable.
  In the end, you either trust Apple or you don’t. If you don’t trust Apple, then you really shouldn’t be running macOS. Apple owns the kernel and all its kexts. If you can’t trust it to do that, then Linux (or similar) is the only rational choice.
  While I don’t agree with a lot of what Apple does, it’s the only large vendor that I’ve never had any privacy problem with. Hell, they won’t even send me promotional email when I request it!
  Howard.
  
  LikeLike
97

Peter on January 3, 2021 at 10:51 pm

It is already a read-only volume (in Catalina), only accessible from recovery! How can a malware write there ? An how many in 100 users go in recovery, use terminal commands just to edit some config files ? This crypto volume crap is definitely a “mouth gag” for the power USER, not hackers, or malware.

Today we have the ExclusionList in there that can’t be modified, next something else.
This to me is a violation. Period.

OCSP? .. come one, I was running Dr.Unarhiver (from TrendMicro) for months, AppStore App, with all certificates and was leaking private info until Apple banned it.

And we get to the “you don’t like, don’t buy” – this is also wrong.
You don’t have a choice, and you should have – it should be enforced/imposed. You want to sell your software? Well, there has to be rules.

I’m not saying only Apple does it. That is the big problem. Sadly, everyone does it one way or another.

LikeLiked by 1 person
- 98
  
  hoakley on January 4, 2021 at 12:20 am
  
  Thank you.
  It may appear impregnable in Catalina, but mounting it writeable is not only possible but something every Apple updater does without going into Recovery mode. As Apple’s security engineers know exactly how that is achieved, they obviously understand how it is exploitable. Apple doesn’t keep any of the files which need to be mutable in the sealed System volume anyway – and put significant engineering effort into ensuring that using firmlinks.
  The sealed System Volume isn’t “crypto crap” – I really don’t understand what you mean by that. One major benefit to the user is that damaged system installs and updates are no longer possible, as they break the seal. As a warranty of system integrity that alone is a valuable advance.
  I’m not sure what your argument with OCSP is, I’m afraid.
  You do have a choice whether to buy Apple and run macOS. There are two other mainstream operating systems, Windows and Linux. If you put your trust in Microsoft, or in yourself in the case of Linux, you can work well (so I’m told) with either. No one forces you to buy Apple, do they? Why choose to buy computers and operating systems from a vendor you don’t feel you can trust? If I didn’t trust Apple, then I wouldn’t do business with them, nor develop software for macOS.
  Howard.
  
  LikeLike
99

nsklaus on January 4, 2021 at 12:11 pm

hello,

i’m trying to modify root partition from recovery. i’m able to remount read/write the system disk and modify the filesystem from there, but all the things i do are gone upon reboot.

my problem is that i cannot seem to be able to bless the partition, apparently:

-bash-3.2# bless –mount /Volumes/Macintosh\ HD –bootefi –create-snapshot
Couldn’t create snapshot on volume /Volumes/Macintosh HD: Operation not permitted

-bash-3.2# bless –folder /Volumes/Macintosh\ HD/System/Library/CoreServices/ –bootefi –create-snapshot
Couldn’t create snapshot on volume /Volumes/Macintosh HD: Operation not permitted

i have both “csrutil” and “csrutil authenticated-root” disabled.
i made a post on apple.stackexchange.com here:
https://apple.stackexchange.com/questions/410430/modify-root-filesystem-from-recovery

would anyone have an idea what am i missing or doing wrong ?

thank you

LikeLiked by 1 person
- 100
  
  hstriepe on January 4, 2021 at 3:15 pm
  
  Did you mount the volume for write access?
  mount -uw /Volumes/Macintosh\ HD
  
  LikeLiked by 1 person
  - 101
    
    nsklaus on January 4, 2021 at 3:56 pm
    
    yes i did. that was shown already at the link i provided.
    
    LikeLiked by 1 person
102

nsklaus on January 4, 2021 at 4:00 pm

that was also explicitly stated on the second sentence of my original post.
” i’m able to remount read/write the system disk and modify the filesystem from there …”

LikeLiked by 1 person
- 103
  
  hstriepe on January 4, 2021 at 5:52 pm
  
  Sorry to be annoying, I rushed to help.
  
  LikeLiked by 1 person
  - 104
    
    nsklaus on January 4, 2021 at 6:12 pm
    
    rushing to help is quite positive. i thank you for that ..allow me a small poke at humor: just be sure to read the question fully 🙂
    
    LikeLiked by 1 person
105

Ben Salzberg on January 9, 2021 at 1:19 am

I’m a mac lab manager and would like to change the login screen, which is a file on the now-even-more-protected system volume (/System/Library/Desktop Pictures/Big Sur Graphic.heic). Looks like there is now no way to change that? (I know I can change it for an individual user; in the past using ever-more-ridiculous methods I’ve been able to change it for all users (including network users)… OMG I just realized we’ve had to turn off SIP to enable JAMF to allow network users. Maybe I can convince everyone to switch to Linux 🙂 (more likely- Windows, since people won’t give up their Adobe and MicroSoft products)

LikeLiked by 1 person
- 106
  
  hoakley on January 9, 2021 at 5:27 pm
  
  Thank you.
  I think you should be directing these questions as JAMF and other sysadmins.
  I also wonder whether the benefits of the SSV might make your job a lot easier – never another apparently broken system update, and enhanced security. But if you’re turning SIP off, perhaps you need to talk to JAMF soonest.
  Howard.
  
  LikeLike
  - 107
    
    Ben Salzberg on January 11, 2021 at 4:39 pm
    
    Thanks, we have talked to JAMF and Apple. Apple acknowledged it was a bug, but who knows in Big Sur yet (I haven’t had a chance to test yet). But I’m remembering it might have been a file in /Library and not /System/Library. In any case, what about the login screen for all users (i.e. network users)? Still stuck with that godawful big sur image and no chance to brand for our school?
    
    LikeLiked by 1 person
    - 108
      
      hoakley on January 11, 2021 at 6:07 pm
      
      Thank you.
      There’s a world of difference between /Library and /System/Library!
      Howard.
      
      LikeLike
109

platyhsu on January 14, 2021 at 8:57 am

Thank you for the informative post. I was trying to disable SIP on my M1 MacBook Pro when I found doing so prevents the Mac from running iOS apps — an alert will appear upon launching that the app “can’t be opened because Security Policy is set to Permissive Security” and I’ll need to “change the Security Policy to Full Security or Reduced Security.”

Intriguingly, I didn’t actually changed the Permissive Security Policy myself at all — it seems that executing `csrutil disable` has the side effect of reduce the policy level to “Permissive,” and tuning the policy level up to “Reduced” or “Full” also force re-enabling SIP.

I have tried to avoid this by executing `csrutil disable` with flags such as `–with kext –with dtrace –with nvram –with basesystem` and re-enable Authenticated Root Requirement with the `authenticated-root` sub-command you mentioned in the post; all resulted in vain.

Do you know if there’s any possibility to both have SIP (at least partially) disabled and keep the Security Policy on the “Reduced” level, so that I can run certain high-privileged utilities (such as yabai, a tiling window manager) while keeping the ability to run iOS apps? Thanks in advance.

LikeLike
- 110
  
  hoakley on January 14, 2021 at 9:58 am
  
  Thank you.
  No, because SIP and the security policies are intimately related, you can’t AFAIK have your cake and eat it.
  What you can do though is boot from another copy of Big Sur, say on an external disk, and have different security policies when running that. This is because, unlike the T2 chip, the M1 manages security policy per bootable OS. In your case, that probably doesn’t help you run highly privileged utilities, but they’re not really consistent with Mac security over the last few years.
  Howard.
  
  LikeLike