SIP difference using OCLP 0.4.11 and 0.5.1

[davidlv]

Using an iMac 15,1 late 2014 5K Retina running Monterey 12.6.2 B2 21G312.
Using OCLP 0.4.11 all of the SIP settings are enabled, but using OCLP 0.5.1 the 1st, 2nd, and last SIP items are disabled; ie., CSR_ALLOW_ UNTRUSTED_KEXTS, CSR_ALLOWUNRESTRICTED_FS, and CSR_ALLOW_UNAUTHENTICATED_ROOT are enabled by default.
Why are these setting different as the hardware is exactly the same?
Running 0.4.11, the Bluetooth is somewhat iffy, not recognizing different Apple mice at times (much worse with 12.6.1).
Everything seems to work with 0.5.1, but you could say it would be better if SIP was entirely enabled (tried that btw, but immediately ran into strange glitches, and reverted to the default setting).
Does anyone know what is going on here?

 

[bogdanw]

Don’t use OpenCore’s SIP options, disable SIP the normal way https://developer.apple.com/documen...ling_and_enabling_system_integrity_protection

 

[davidlv]

Don’t use OpenCore’s SIP options, disable SIP the normal way https://developer.apple.com/documen...ling_and_enabling_system_integrity_protection

My question was not "how to disable SIP?".
Also, the Regular Way. umm, have you tried that on a Mac that is not supported on Monterey, and running OCLP?
Obviously not, as the "Regular Way" - Command + r keys at boot - is not supported by OCLP.
Instead you have to Hold down the Option key, boot into the OCLP EFI partition and then at the Boot Picker stage, hit the spacebar to show all of the boot-up options, one of which is the Recovery partition.
However, after disabling SIP in the Recovery partition, on reboot the default OCLP SIP settings (or any SIP setting you have set using OCLP) are then set again, ignoring the Recovery partition disable command.
I have tried setting all SIP settings to on via the OCLP method, and immediately experienced some odd glitches in 0.5.1.
That is why my question was "What is the difference in the two OCLP versions that makes the partial SIP settings necessary in OCLP 9.5.1 and not in OCLP 0.4.11?

 

[bogdanw]

My question was not "how to disable SIP?".
Also, the Regular Way. umm, have you tried that on a Mac that is not supported on Monterey, and running OCLP?
Obviously not, as the "Regular Way" - Command + r keys at boot - is not supported by OCLP.
Instead you have to Hold down the Option key, boot into the OCLP EFI partition and then at the Boot Picker stage, hit the spacebar to show all of the boot-up options, one of which is the Recovery partition.
However, after disabling SIP in the Recovery partition, on reboot the default OCLP SIP settings (or any SIP setting you have set using OCLP) are then set again, ignoring the Recovery partition disable command.
I have tried setting all SIP settings to on via the OCLP method, and immediately experienced some odd glitches in 0.5.1.
That is why my question was "What is the difference in the two OCLP versions that makes the partial SIP settings necessary in OCLP 9.5.1 and not in OCLP 0.4.11?

My suggestion was to delete the SIP configuration from config.plist and disable SIP as per Apple’s instructions.
By “regular way” I meant boot into recovery and run csrutil disable in Terminal.
The recovery volume is hidden by default, but it can be unhidden and show up in the list of boot option.

https://dortania.github.io/OpenCore-Legacy-Patcher/TROUBLESHOOTING.html#how-to-boot-big-sur-recovery
https://dortania.github.io/OpenCore...encore-issues.html#can-t-see-macos-partitions
https://dortania.github.io/OpenCore-Legacy-Patcher/POST-INSTALL.html#enabling-sip
https://dortania.github.io/OpenCore...oting/extended/post-issues.html#disabling-sip

 

[davidlv]

My suggestion was to delete the SIP configuration from config.plist and disable SIP as per Apple’s instructions.
By “regular way” I meant boot into recovery and run csrutil disable in Terminal.
The recovery volume is hidden by default, but it can be unhidden and show up in the list of boot option.

https://dortania.github.io/OpenCore-Legacy-Patcher/TROUBLESHOOTING.html#how-to-boot-big-sur-recovery
https://dortania.github.io/OpenCore...encore-issues.html#can-t-see-macos-partitions
https://dortania.github.io/OpenCore-Legacy-Patcher/POST-INSTALL.html#enabling-sip
https://dortania.github.io/OpenCore...oting/extended/post-issues.html#disabling-sip

In the first place, your suggestion was only to use the regular way to disable SIP, and there was no mention of "to delete the SIP configuration from config.plist". Second, you did not mention the procedure required to have access to the Recovery partition. I searched and found that on the OCLP documents. Third, your suggestion to "disable" SIP is the opposite of my intention, as I said in my first post. I want to enable SIP if at all possible, without the glitches I saw when I used OCLP's settings menu to do that.

 

[bogdanw]

In the first place, your suggestion was only to use the regular way to disable SIP, and there was no mention of "to delete the SIP configuration from config.plist". Second, you did not mention the procedure required to have access to the Recovery partition. I searched and found that on the OCLP documents. Third, your suggestion to "disable" SIP is the opposite of my intention, as I said in my first post. I want to enable SIP if at all possible, without the glitches I saw when I used OCLP's settings menu to do that.

The answer is in the changelog:
“Raise SIP requirement to 0x803 for root patching”
https://github.com/dortania/OpenCore-Legacy-Patcher/releases
But it’s irrelevant in my opinion, as you should have SIP disabled, the Apple way, to prevent ending up with “glitches” or an un-bootable system if Apple tightens security in one of the next updates.
Have a nice weekend!

 

[DeltaMac]

So, there seems to be differences in the SIP configuration between different versions of the OCLP.
I would suspect that the reason for the changes is that OC developers are still "tuning" the whole patching process, and part of that might include changes to the SIP protection. There's likely some reason that developers want to adjust the SIP settings, without disabling SIP completely, which would be an all-or-nothing result. That level (disabled completely) may not be needed, nor advisable from a system stability standpoint. Maybe the changes in the SIP settings makes the various patched drivers work more reliably, particularly through updates.
Probably a good reason to update the OpenCore version that you are using.
There might be adjustments to that SIP setting, even in the latest version of OCLP, which is now at version 0.5.2 -- check it out!

 

[Jack Neill]

I went back to .4.11 on my 2013 iMac running 12.6.1 because .5.2 didn't work well with SIP enabled, Safari was wonky. I like to keep SIP enabled if possible. Monterey is running perfectly on this machine and it will probably be the last OS it gets. Ventura seems slow on Intel

 

[davidlv]

I went back to .4.11 on my 2013 iMac running 12.6.1 because .5.2 didn't work well with SIP enabled, Safari was wonky. I like to keep SIP enabled if possible. Monterey is running perfectly on this machine and it will probably be the last OS it gets. Ventura seems slow on Intel

I too went back to 0.4.11 on my iMac15,1, late 2014 model. You might be interested in updating to the Beta 3 of 12.6.2, which seems to be very stable, and to have fixed the bluetooth disconnects and some, if not most, of the USB issues (not disconnecting etc.). It is available at the Mr. Macintosh site or via the MDS app.

 

[bogdanw]

I like to keep SIP enabled if possible.

You are running a bootloader, made mostly by some … Eastern Europeans, with the ability to inject undetectable malware into your system. Why do you think having SIP enabled is important?

 

[Jack Neill]

You are running a bootloader, made mostly by some … Eastern Europeans, with the ability to inject undetectable malware into your system. Why do you think having SIP enabled is important?

I like the word enabled. It makes me feel good about myself and gives me a self esteem boost. One of my favorite things about Apple products is how good they make you feel when you use them. I really feel enabled to be my best self.

 

[bogdanw]

I like the word enabled. It makes me feel good about myself and gives me a self esteem boost. One of my favorite things about Apple products is how good they make you feel when you use them. I really feel enabled to be my best self.

Until you end up disabled, like this https://forums.macrumors.com/thread...connection-while-upgrade-to-monterey.2372458/
@Jack Neill @davidlv As you have more experience with OpenCore, maybe you can help @kayodeo

 

[tonib.]

I'm on iMac 15.1 i7 Ventura via OCLP 0.67 and everything work perfectly, SIP completely disabled (all SIP items checked in OCLP > Settings > Security) I installed Parallels Desktop and when I try to patch it, it give the error SIP Status Unknown it must be disabled... what should I do?

 

[davidlv]

I'm on iMac 15.1 i7 Ventura via OCLP 0.67 and everything work perfectly, SIP completely disabled (all SIP items checked in OCLP > Settings > Security) I installed Parallels Desktop and when I try to patch it, it give the error SIP Status Unknown it must be disabled... what should I do?

All of the VM apps have had trouble running under OCLP, until recently when the OCLP devs announced a beta test that seems to work for many people. Give it a try. Be careful to follow the directions exactly.
Another amazing piece of software engineering!

Release AMFIPass Beta Test · dortania/OpenCore-Legacy-Patcher

AMFIPass Public Beta Test READ THE WHOLE THING FIRST Hello testers! I am proud to announce that we will now be opening a public beta test for a build of OCLP that adds AMFIPass¹ - a way to use your...

github.com