How to Disable SIP (System Integrity Protection) on Clover

Cyberdevs

Supervisor
Staff member
Joined
Aug 29, 2018
Messages
78
Motherboard
GA-Z170X-Gaming 5
CPU
Intel Core i7 6700K
Graphics
AMD Radeon Pro 580
OS X/macOS
10.15.x
Bootloader
  1. Clover (UEFI)
  2. OpenCore
Mobile Phone
  1. iOS
How to Disable SIP (System Integrity Protection) on Clover

Overview

According to Wikipedia: System Integrity Protection (SIP, sometimes referred to as rootless) is a security feature of Apple's macOS operating system introduced in OS X El Capitan. It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which that user is also the administrator. System Integrity Protection is enabled by default, but can be disabled.

CsrActiveConfig values and their functions:
ValueFunction
CsrActiveConfig=0x0SIP is fully enabled
CsrActiveConfig=0x3SIP is partially disabled
CsrActiveConfig=0x67SIP is fully disabled

There are several other like 0x3E7 which eventually disables more protections than 0x67 but it’s not a good idea to disable all those protection measures which make macOS more vulnerable.

Changing CsrActiveConfig using Clover

There are two ways to do that, first method is changing the value of the CsrActiveConfig in the config.plist using Clover Configurator and the second once is to use Clover’s GUI and making those changes to the config.plist before booting into macOS.

If you change the value in the config.pllist by using Clover Configurator or any other plist editors when you save the file it will permanently change the SIP on each boot but if you use the second method it won’t change the config.plist permanently which means if you reboot the macOS it clover will read the value of the config.plist and load the SIP according to the setting in that file.


Here’s some illustrations to show you how to use both methods:

Method 1
Using Clover Configurator and the config.plist:

  1. Mount the EFI partition where Clover is installed.
  2. Open the config.plist with whatever application the you like
  3. Navigate to “Rt Variable”and change the value of the CsrActiveConfig to the value that you like
  4. Save the config.plist and reboot
Rt Variables.PNG

Method 2
Using Clover’s GUI:

1. Once you turn the computer on, when the Clover’s GUI is loaded just navigate to “Options” using the arrow keys and the press Enter/Return

screenshot0.png

2. Under Options menu navigate down to System Parameters->

screenshot1.png

3. Navigate down to System Integrity Protection ->

screenshot2.png

4. Select the options that you want to disable by selecting them and then pressing Enter/Return on the keyboard

screenshot3.png

5. Once you selected the options that you want the SIP to allow navigate down to the bottom of the list and the select “Return” and continue to do so until you see the Clover’s main GUI

6. Select the volume that you want to boot from and then you can check the state of the SIP by using the Terminal commands


Open macOS Terminal and type the command below:
csrutil status
 

Attachments

  • screenshot0.png
    screenshot0.png
    42.2 KB · Views: 960
  • screenshot1.png
    screenshot1.png
    39.1 KB · Views: 811
  • screenshot2.png
    screenshot2.png
    36.6 KB · Views: 806
  • screenshot3png.png
    screenshot3png.png
    54.6 KB · Views: 935
Last edited by a moderator:

Forum statistics

Threads
673
Messages
7,046
Members
5,903
Latest member
anna8888