2

Some time ago, I read somewhere that Apple had decided to provide a way to enable SIP without a recovery reboot. If that’s true, how? It isn’t csrutil enable (at least not on my system).

It would be an obvious security risk to allow disable in normal use. But when I need to edit something “special,” it would be nice to do it with two reboots instead of four.

Of course, it may be that what I read was neither from Apple nor accurate. But I definitely read it, and my possibly faulty memory says it was in release notes for one of the updates.

No matter how much I try to make "enable" mandatory, web search gives me tons of hits on "disable."

WGroleau
  • 4,869
  • 7
  • 44
  • 77
  • https://apple.stackexchange.com/questions/261684/disable-sip-without-recovery-mode – anki Feb 20 '20 at 17:04
  • A "not possible" that's three or more years old doesn't answer the question on whether Apple had since provided a way to make it possible. Nor on what that method is. Also note that I said "enable," not "disable" and "reboot," not "recovery mode." – WGroleau Feb 20 '20 at 17:20
  • The other Q asks for disabling so at least in theory there could be a way to enable it anyway. Nevertheless can you please edit your question to focus on the actual issue? Right now there is a lot of unrelated stuff in it and the question primarily is in the title itself. – nohillside Feb 20 '20 at 17:47
  • https://apple.stackexchange.com/questions/376279/change-finder-icon-in-macos-catalina-without-rebooting – anki Feb 20 '20 at 17:52
  • The manual page for csrutil, in macOS Catalina, for the verb enable does say, "Only available in Recovery OS." – user3439894 Feb 20 '20 at 18:00
  • "it would be nice to do it with two reboots instead of four" Not an answer but resetting PRAM (with alt+cmd+p+r) turns on SIP again so that saves booting into recovery to turn it on again and you only need 3 reboots rather than 4. – lx07 Feb 20 '20 at 18:00

1 Answers1

3

Generally, you can use sudo csrutil clear, follow by a reboot, to enable SIP. So the command enables SIP without a reboot, however this does not go into effect until the next reboot. This get it down to 3 reboots to enable/disable SIP.

You can get it down to two reboot by using rEFInd.

If you want to disable SIP with a single reboot, then install rEFInd. If you specify the --usedefault option when installing rEFInd, then rEFInd will be installed to the /EFI/BOOT folder in the EFI volume. This will allow rEFInd to appear in the Startup Manager. A boot to rEFInd is almost instantaneous, as opposed to macOS Recovery which is not. Once rEFInd is properly installed, changing the status of SIP can be done by the following steps.

  1. Reboot and hold down the option key to boot to the Startup Manager.
  2. Select to boot to rEFInd.
  3. From the rEFInd menu, select to enable or disable SIP.
  4. From the rEFInd menu, select to boot to macOS.

If you have Windows or another Linux installed which uses the /EFI/BOOT folder in the EFI partition, then you will need to create another small partition for rEFInd to boot from. This can be another EFI partition, a FAT32 formatted or ExFAT formatted partition. You can even put rEFInd on a flash drive, if you do not rEFInd installed on your internal drive.

I also should note that rEFInd now includes gdisk, which is a command that is easier to use than the gpt command included with macOS. So, if you need SIP temporarily disabled to edit the partitioning on disk0, you can do this in only 1 boot.

David Anderson
  • 40,244
  • In http://www.rodsbooks.com/refind/features.html is states "Beginning with version 0.10.0, the ability to adjust Apple System Integrity Protection (SIP; aka "rootless" or "CSR") settings. These settings control what features are off-limits even to root in macOS 10.11 (El Capitan) and later. To use this feature, you must set specific CSR values on refind.conf's csr_values line and add csr_rotate to the showtools line." ... Is the still necessary to do? – user3439894 Feb 21 '20 at 01:08
  • @user3439894: You probably have to edit the refind.conf file and specify csr_rotate in showtools and enable csr_values. To use gdisk you may have to specify gdisk in showtools – David Anderson Feb 21 '20 at 02:00
  • So then, it's not as straight forward as your answer leads one to believe. You have to install it, then specially configure it for it to work as you've described. – user3439894 Feb 21 '20 at 02:03
  • @user3439894: I was not trying to explain how to configure rEFInd. I was trying to indicate that rEFInd's functionality has been expanded beyond that of just being a boot manager. In this case, you would not need any of rEFInd's original boot manager functionality. Instead you would be using the added ability to enable/disable SIP by installing rEFInd so it would appear in the Startup Manager. – David Anderson Feb 21 '20 at 04:05
  • At first glance, this sounds like it might be worth doing. I’ll have to think about it. – WGroleau Feb 21 '20 at 06:59
  • +1 - this is the quickest way. Note if you run refind-install without the --usedefault option it will install to EFI/refind rather than EFI/BOOT. This means you don't need to create another partition if you are using EFI/BOOT for something else. – lx07 Feb 21 '20 at 07:23
  • 1
    @Ix07: If rEFInd is installed to EFI/refind, then rEFInd will not appear in the Startup Manager. So, if you go this route, then you will have to also use rEFInd as the startup manager in place of the default Startup Manager provided by the firmware. – David Anderson Feb 21 '20 at 07:30
  • Since I reboot once in a while anyway, the first paragraph answers the question as asked, but the rEFInd sounds like a good idea for anyone who needs to bypass SIP often. – WGroleau Feb 21 '20 at 16:24