<key>csr-active-config</key>
<data>dwgAAA==</data><string>csr-active-config</string>
AllowToggleSip
Type: plist boolean
Failsafe: false
Description: Enable entry for disabling and enabling System Integrity Protection in OpenCore picker.
This will toggle Apple NVRAM variable csr-active-config between 0 for SIP Enabled and a practical default value for SIP Disabled (currently 0x26F).
Note 1: It is strongly recommended not to make a habit of running macOS with SIP disabled. Use of this boot option may make it easier to quickly disable SIP protection when genuinely needed - it should be re-enabled again afterwards.
Note 2: OC uses 0x26F even though csrutil disable on Big Sur sets 0x7F. To explain the choice:
csrutil disable --no-internal actually sets 0x6F, and this is preferable because CSR_ALLOW_APPLE_INTERNAL (0x10) prevents updates (unless you are running an internal build of macOS).
CSR_ALLOW_UNAPPROVED_KEXTS (0x200) is generally useful, in the case where you do need to have SIP disabled, as it allows installing unsigned kexts without manual approval in System Preferences.
CSR_ALLOW_UNAUTHENTICATED_ROOT (0x800) is not practical as it prevents incremental (non-full) OTA updates.
Note3: For any other value which you may need to use, it is possible to configure CsrUtil.efi as a TextMode Tools entry to configure a different value, e.g. use toggle 0x6F in Arguments to toggle the SIP disabled value set by default by csrutil disable --no-internal in Big Sur
github.com
github.com
alias efimount="sudo diskutil mount /dev/disk0s1"
alias efiumount="diskutil umount /dev/disk0s1"
alias ocedit="sudo diskutil mount /dev/disk0s1; bbedit /Volumes/EFI/EFI/OC/config.plist"alias getmacos='curl -O -L https://raw.githubusercontent.com/munki/macadmin-scripts/main/installinstallmacos.py && sudo python installinstallmacos.py'
alias efimount='u=$(nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-path | sed "s/.*GPT,\([^,]*\),.*/\1/"); if [ "$u" != "" ]; then sudo diskutil mount $u && open /Volumes/EFI/ ; fi'
alias efiumount='u=$(nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-path | sed "s/.*GPT,\([^,]*\),.*/\1/"); if [ "$u" != "" ]; then diskutil umount $u; fi'
alias ocedit='u=$(nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-path | sed "s/.*GPT,\([^,]*\),.*/\1/"); if [ "$u" != "" ]; then sudo diskutil mount $u && open /Volumes/EFI/ ; fi; bbedit /Volumes/EFI/EFI/OC/config.plist'
In multi disk setups, it is impossible to be certain that any one particular disk will always be assigned a
/dev/diskX id on every single boot. Basically, a /dev/diskX id should never be hard coded as it can vary between boots.
It will work in your particular environment, however you will find the MountEFI script much more flexible.
One time I've nuked 2TB of past macOS installers going back to Jaguar with a diskutil zerodisk because I've forgot to check the current device after a reboot.
u=$(nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-path | sed 's/.*GPT,\([^,]*\),.*/\1/'); if [ "$u" != "" ]; then sudo diskutil mount $u && open /Volumes/EFI/ ; fi in Terminal.In my case, since I play around with OC, nvme disk didn't move from disk0 identifier. Even booting from recovery.
Mounting a partition will not be so dangerous, even if someone get an erroneous identifier.
To long to remember or to write... so this involves copy & paste. I find very much easier write "efimount" or "ocedit". I tried to put the command above in an alias, but went in error with apostrophes and quotation marks.
alias efimount='u=$(nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-path | sed "s/.*GPT,\([^,]*\),.*/\1/"); if [ "$u" != "" ]; then sudo diskutil mount $u && open /Volumes/EFI/ ; fi'nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:opencore-version
That's like saying you have been driving around your entire adult life at speed without wearing seat belts and haven't yet died from an accident.
I edited my alias and my previous message, in accordance with @Syncretic suggestion. Thanks to all.