Enable & Disable System Integrity Protection (SIP) on a Hackintosh

Hackintosher

Administrator
Joined
Jan 21, 2018
macOS
Mobo
Gigabyte Z370N WIFI
CPU
i3-8100
GPU
UHD 630 Graphics
#1
This is how you can easily toggle enable/disable SIP on a hackintosh. Now many of you already know how to do this, but I created these steps for beginners to which they can reference and to which I can reference to in other guides.

Toggling SIP
Traditionally on a Mac you would go into the recovery partition and enable/disable SIP through Terminal with the csrutil command, however on a hackintosh there are two more convenient ways to toggle SIP on/off.

The first way is through the config.plist file of your EFI folder. Normally you will want to leave SIP disabled here, but it's easy to change it here to enabled if you need to for some reason.

Method 1: config.plist
  1. Open config.plist in Clover Configurator
  2. Navigate RT Variables > CsrActivateConfig
  3. Change CsrActivateConfig to appropriate value
    1. Disable SIP: 0x67
    2. Enable SIP: 0x00
  4. Reboot Hackintosh to apply changes
Method 2: Clover Boot loader
The value set in config.plist will be the default value on every boot, but you can temporarily change CsrActivateConfig in the Clover Boot loader for a single boot. What this does is override the value set in config.plist for that boot, once you restart the hackintosh CsrActivateConfig will revert back to the default value. Being able to do this in the boot-loader is convenient if you only need it change it temporarily for example when installing drivers without having mount and edit config.plist changing CsrActiveConfig back and forth.
  1. Boot into Clover EFI Menu
  2. Select Options (gear icon) using arrow keys
  3. Select System Parameters
  4. Select System Integrity Protection
  5. Change to enable/disable
    1. Disable SIP - Check: Allow Untrusted Kexts, Allow Unrestricted FS, Allow Task for PID, Allow Unrestricted Dtrace, Allow Unrestricted NVRAM
    2. Enable SIP - Uncheck everything
  6. Select Return
  7. Select Return again
  8. Select Return again...
  9. Boot macOS partition
 

Attachments

Joined
Jan 29, 2018
macOS
10.13.5
Mobo
Gigabyte Z370 Gaming 7
CPU
i7-8700k
GPU
Sapphire Vega 56 Pulse
#2
Thanks for this. What are the real word potential problems of leaving it disabled?
 

hevisko

New member
Joined
Feb 26, 2018
macOS
10.13.3,
Mobo
Desktop: Asus Z170-A Laptop: HP 470-G0
CPU
i5-6500
GPU
MSI-GTX760 - want to replace with 2x RX560 (Saphire Pulse 2G and/or Asus 4G OC)
#4
Joined
Dec 8, 2018
macOS
10.14.1
Mobo
GIGABYTE GA-Z97M-D3H
CPU
Intel Core i7-4790K
GPU
SAPPHIRE Radeon RX Vega64 8G HBM2
#5
What about partially allowing unsigned kexts with 0x3? Does that still work in Mojave?
 

Greg007

New member
Joined
Jan 28, 2019
macOS
10.14.2
Mobo
Gigabyte Z370 Aorus Ultra Gaming
CPU
I5 8600K
GPU
Sapphire Pulse Radeon RX560 4GB GDDR5
#6
What about partially allowing unsigned kexts with 0x3? Does that still work in Mojave?
Bump!
Anyone tried it? I think this should be the default setting - at least you have then a partial protection....
 

tallinn

New member
Joined
Apr 10, 2019
macOS
10.14.4
Mobo
Gigabyte Z170X-Ultra-Gaming
CPU
i7 6900
GPU
Sapphire Radeon RX Vega 64 Nitro+ 8GB
#7
I am currently running with full sip enabled. Everything seems to work so far. I think, SIP must be disabled temporarily to install new (unsigned) kexts in L/E. Or to have them inserted by clover (which the saying is that this is a bad way - you shall install kexts in L/E and just keep basic kexts needed to boot the recovery partition as a copy in clover, and set clover insert kexts to "detect"). However I boot with kext-dev-mode=1, whatever that means. I forgot where I obtained the information about this flag.

Things may change significantly with 10.14.5 as Apple announced this will be the first macOS version to enforce Apple notarization of apps and kexts.
 
Joined
May 23, 2019
macOS
10.14.5
Mobo
Dell Inspiron 15 5567
CPU
Intel i3-6006U
GPU
Intel HD Graphics 520
#8
Are kexts with invalid signatures the same as unsigned kexts?
 

Latest posts