When SIP status is unknown, SilentKnight and silnite can be foxed

No matter how well we think we know our Macs, sometimes they spring little surprises. I’m very grateful to Mark for telling me how he was caught out by SIP, and how SilentKnight let him down.

When he was experiencing problems with iCloud sync on his MacBook Pro 2018 (Intel T2), Mark logged out of iCloud then logged back in again, a manoeuvre many of us try. Although this fixed his iCloud issues, he then had to add his credit cards back to his Apple Wallet. However, he was next warned that Apple Pay couldn’t be set up, as the security settings of that Mac had been modified.

Alas, SilentKnight reported nothing amiss, and specifically told him “SIP & SSV enabled”. However, that wasn’t the case, and csrutil status returned:
System Integrity Protection status: unknown (Custom Configuration). Configuration: Apple Internal: disabled Kext Signing: disabled Filesystem Protections: disabled Debugging Restrictions: disabled NVRAM Protections: disabled BaseSystem Verification: enabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

Mark then tried enabling SIP in Recovery mode, but csrutil status still returned unknown, although more of its components had been enabled this time. He finally rectified this by resetting SMC and NVRAM, which resolved the problem, returned SIP to fully enabled, and allowed him to add his cards back.

I’ve been investigating why SilentKnight should have returned such a wrong result when it checked his Mac’s SIP status. As a result, I have new versions of SilentKnight and silnite to deal better with this unusual situation.

As Apple silicon Macs have quite different security settings, which the app checks in a different way, this problem should be confined to Intel Macs.

SilentKnight 2.1, for Catalina and later, addresses this flaw, and is available now from here: silentknight201
from Downloads above, from its Product Page, and via its auto-update mechanism.

Checking the source code of silnite, I realised that it too could be prone to this error, but only if you rely on its plain text output; JSONised XML and proper JSON output aren’t affected, as they contain the full results from the csrutil status command.

silnite version 9 should fix that text output, and is available now from here: silnite9
from Downloads above, and from its Product Page.

What remains a mystery is how SIP on Mark’s MacBook Pro became so deranged that even macOS declared its status as “unknown”, but that’s a problem for Apple to solve, not me. Should you ever run into the same problem, you know now to turn SIP back on in Recovery mode, then reset the SMC and NVRAM.

Thanks to Mark for providing so much useful information, and for solving his problem so effectively.

6Comments

Add yours

1

Macintoshista on October 18, 2022 at 6:50 am

Is this issue confined to Intel Macs with a T2 chip? Anyway a useful tip in resolving the issue and good to see your tools updated so speedily.

LikeLiked by 1 person
- 2
  
  hoakley on October 18, 2022 at 9:20 am
  
  I don’t know. Because SilentKnight has to get a different set of info for Apple silicon Macs, it doesn’t use csrutil on them, so the problem can’t occur there. Whether this same unknown state can exist on any Intel Mac, or just those with T2 chips is, well, unknown.
  Howard.
  
  LikeLiked by 1 person
3

dominikushoffmann on October 18, 2022 at 1:43 pm

I just installed SilentKnight Version 2.1 (14). It flags that XPR is out of date. It is at 75 and should be at 78. When I click on “Install all updates” and then hit Check again, nothing changes.

LikeLiked by 1 person
- 4
  
  hoakley on October 18, 2022 at 2:05 pm
  
  Thank you.
  First, you don’t need to click the Check button after installing updates: SilentKnight automatically checks for you.
  Second, you don’t mention the text shown in the lower text view after you tried installing those updates, which reports what happened, whether the update(s) could be downloaded, and whether they were installed correctly.
  SilentKnight has a 33 page Help Reference, accessible from that command in the Help menu. I spend as long writing its documentation as I do writing its code.
  Open that Help Reference, and on the Start page locate the item at the lower right ‘Failed updates’. Click on that and you’ll see a set of hints about what can go wrong and what to so about it. I suspect you’re running a Content Caching server, and although the update downloaded fine, I suspect it failed to install. The Help Reference states:
  “Sometimes updates aren’t found, even though others can download and install them, or they fail to install correctly. The latter are clearly show in the lower text box, which records the update being downloaded, but then failing to install, leaving the version number unchanged.
  If you’re obtaining your Mac’s updates through a local Content Caching server, the next step is to temporarily disable that in Sharing. Quit SilentKnight, open it again, and try installing the update(s) again. Once installed successfully, you can enable the Content Caching service again.”
  This is a known bug in the Content Caching server which I have reported to Apple twice now.
  If you aren’t using the Content Caching server, the next two paragraphs there suggest restarting your Mac, and starting up in Safe mode, and trying from there.
  I wish you success.
  Howard.
  
  LikeLiked by 1 person
5

dominikushoffmann on October 18, 2022 at 2:10 pm

Having the Content Caching turned on was exactly what the issue was. Thanks very much, Howard!

LikeLiked by 1 person
- 6
  
  hoakley on October 18, 2022 at 2:12 pm
  
  I’m sorry about this problem with the Content Caching server, but I don’t know what else I can do to get Apple to realise how important this is.
  Howard.
  
  LikeLike

Share this:

Like this:

Related