From: srs5694 Date: Mon, 1 Feb 2016 02:43:56 +0000 (-0500) Subject: Modified SIP/CSR feature to work ON MACS when the csr-active-config X-Git-Url: https://code.delx.au/refind/commitdiff_plain/6720031b85a48ad6f6a651efb6bb5030c41b610d?ds=sidebyside Modified SIP/CSR feature to work ON MACS when the csr-active-config variable is missing; rEFInd treats that as if it were active. --- diff --git a/Makefile b/Makefile index 17a181e..d1158ef 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ MOK_DIR=mok GPTSYNC_DIR=gptsync EFILIB_DIR=EfiLib export EDK2BASE=/usr/local/UDK2014/MyWorkSpace -export REFIND_VERSION='L"0.10.2"' +export REFIND_VERSION='L"0.10.2.1"' # The "all" target builds with the TianoCore library if possible, but falls # back on the more easily-installed GNU-EFI library if TianoCore isn't diff --git a/NEWS.txt b/NEWS.txt index 013a8bc..c31529c 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -1,6 +1,21 @@ 0.10.3 (?/??/2016): ------------------- +- Modified SIP/CSR rotation code: If the csr-active-config EFI variable is + missing AND the firmware is Apple (as identified by the string "Apple" + being present in the ST->FirmwareVendor string), rEFInd treats the + computer as one on which SIP is available and set to the "enabled" state + (0x10). The upshot is that the SIP/CSR tool will appear if the showtools + and csr_values options are set appropriately in refind.conf, even if the + csr-active-config variable is missing from the NVRAM. The point of this + change is that I've received reports of some Macs that run OS X 10.11 but + that lack this variable. OS X acts as if SIP were enabled, but rEFInd is + then unable to disable SIP. This change gives rEFInd the ability to + disable SIP on such systems. The drawback is that the variable might be + set on some systems that don't run OS X 10.11. This should be harmless + from a technical point of view, but the presence of SIP indicators in + rEFInd could be confusing. + - Added refind-mkdefault script to simplify resetting rEFInd as the default boot program in Linux. The intent is to run this after GRUB, Windows, OS X, or some other tool takes over as the primary boot manager. It can be diff --git a/docs/refind/sip.html b/docs/refind/sip.html index 1617769..22759e7 100644 --- a/docs/refind/sip.html +++ b/docs/refind/sip.html @@ -312,7 +312,7 @@ csr_values 10,77

Note the line that reads "System Integrity Protection is disabled (0x77)" (highlighted in this screen shot). This line will be updated whenever you use the CSR rotation tool, so if you've specified a large number of values and have forgotten where you are in your rotation, you can use the About screen to figure it out.

-

Both the summary on the About page and the CSR rotation tool depend on the presence of the csr-active-config NVRAM variable, which is where this information is stored. Thus, these features will not be present on older Macs that have not seen the presence of an OS X version that sets this variable. Likewise, you probably won't see the SIP summary in About or be able to set these values via csr_rotate and csr_values on a UEFI-based PC. (You could always create the variable on such a system in some other way, in which case rEFInd would let you adjust it, but it would have no effect on any OS except OS X.)

+

If your Mac doesn't yet run OS X 10.11, rEFInd claims that SIP is enabled in the "About" screen. If you set the showtools and csr_values options as described earlier, you can adjust the SIP settings on such a Mac, but this will have no effect because neither pre-10.11 version of OS X nor any other OS honors these settings. On UEFI-based PCs, rEFInd won't display SIP status unless you store the csr-active-config NVRAM variable in some way. If you do, rEFInd will enable you to adjust it, but it won't have any effect on the OSes most commonly found on UEFI-based PCs.

I provide these features in rEFInd as a convenience for developers and other advanced users who have a need to adjust their SIP settings. Using rEFInd for this purpose is much faster than booting into the OS X Recovery system to make these adjustments. I discourage others from playing with these settings, since changing them inappropriately could cause problems; that's why they're not enabled by default.

diff --git a/refind/apple.c b/refind/apple.c index 9f9b1f3..437b523 100644 --- a/refind/apple.c +++ b/refind/apple.c @@ -30,7 +30,9 @@ CHAR16 gCsrStatus[256]; // Get CSR (Apple's System Integrity Protection [SIP], or "rootless") status -// information. +// information. If the variable is not present and the firmware is Apple, fake +// it and claim it's enabled, since that's how OS X 10.11 treats a system with +// the variable absent. EFI_STATUS GetCsrStatus(UINT32 *CsrStatus) { UINT32 *ReturnValue = NULL; UINTN CsrLength; @@ -47,6 +49,9 @@ EFI_STATUS GetCsrStatus(UINT32 *CsrStatus) { SPrint(gCsrStatus, 255, L" Unknown System Integrity Protection version"); } MyFreePool(ReturnValue); + } else if ((Status == EFI_NOT_FOUND) && (StriSubCmp(L"Apple", ST->FirmwareVendor))) { + *CsrStatus = SIP_ENABLED; + Status = EFI_SUCCESS; } // if (Status == EFI_SUCCESS) } // if (CsrStatus) return Status; @@ -77,7 +82,7 @@ VOID RecordgCsrStatus(UINT32 CsrStatus, BOOLEAN DisplayMessage) { egDisplayMessage(gCsrStatus, &BGColor); PauseSeconds(3); } // if -} // VOID RecordgCsrStatus +} // VOID RecordgCsrStatus() // Find the current CSR status and reset it to the next one in the // GlobalConfig.CsrValues list, or to the first value if the current