Jump to content

Clover General discussion

ErmaC

By ErmaC,
in Clover

 Share
30,171 posts in this topic

Recommended Posts

magnifico
magnifico
Posted
Posted

Hello Blackosx

 

Are these values still valid now that OS X El Capitan 10.11 GM has been released? I've personally used 0x11 & 0x77 without any issues but didn't know if Apple might have changed the source again.

 

 

Since OS X El Capitan's released date is just around the corner, I though having a little cheat sheet with the csr-active-config (System Integrity Protection) values might be helpful.

 

Attached you'll find my PDF with all of the currently available values from the research done by Blackosx (and others).

 

attachicon.gifcsr-active-config.png

 

Thanks everyone else who has tested Apple's new security feature with Hackintosh hardware and providing feedback!

 

Gratitude,

 

Robert aka Mrengles

 

Edit: If Apple updates or changes these values for any reason, I'll do my best to keep everything up-to-date!

Nice Job

Link to comment
Share on other sites
Foxic
Foxic
Posted
Posted

Right, bit of a strange one. I've been running clover without issues for about 2 years. Previously I was on 2953 running yosemite. I updated through the app store to el capital gm and updated clover to 3270 in preparation for the first boot under el cap.

 

Upon reboot I was met with the 'Bios like' screen with 5 options, the first being continue meaning clover couldn't find BOOTX64.efi. I've always had clover installed in / of Macintosh HD but thought I'd copy the EFI folder to the EFI partition disk0s1. Great, now I have the boot loader GUI back but I can only see Recovery HD, no Macintosh HD.

 

Weird, so I formatted and installed from scratch (I only need fakesmc, realtek81xx and my dsdt so its not particularly painful). I can now boot into el cap using clover on usb, installed clover to the hard drive and I'm back to square 1. I can't see Macintosh HD through clover. Is there an issue with build 3270? I'm doing nothing any differently to previous installs.

 

seriously confused!

Link to comment
Share on other sites
CooSee
CooSee
Posted
Posted

Is there an issue with build 3270?

 

--

 

i'am new to Clover - first Time used with ElCap

 

and i can confirm there's a misbehaviour with 3270 & 3276 ( even re-compiled ),

 

but sometime the system won't start (no changes were made at all to config.plist or system).

 

after changing a theme i get a kernel panic with above mentioned versions.

 

only success with 3264.

 

--

 

OR MAYBE my system is little bit to old - it's time to get a 6 core ;-)

Link to comment
Share on other sites
oSxFr33k
oSxFr33k
Posted
Posted

Take into account that csr-active-config is in NVRAM that is common for all partitions including Recovery.

 

What if its on a separate ssd drive?  I have each drive with its own clover bootloader and always try to keep both versions updated to be the same.  I have emuvariable and nvram.plsit separate on each drive.  I did not install emuvariable to all boot drives during clover install just to the booted drive.  I never install Clover onto another drive from the booted drive if that makes any difference?  I always install Clover onto a drive I have booted from onto that same drive.  Sounds like a puzzle :)

 

I hit F8 (asus key) to choose which EFI drive to boot to, but my question is, will there be any potential issues with Emuvariable, Nvram.plist or CSR values crossing from drive to the other?

 

Edited:

 

Yosemite 10.10.5 on drive #1

ELCapitan GM on drive #2

Link to comment
Share on other sites
joe75
joe75
Posted
Posted

What if its on a separate ssd drive?  I have each drive with its own clover bootloader and always try to keep both versions updated to be the same.  I have emuvariable and nvram.plsit separate on each drive.  I did not install emuvariable to all boot drives during clover install just to the booted drive.  I never install Clover onto another drive from the booted drive if that makes any difference?  I always install Clover onto a drive I have booted from onto that same drive.  Sounds like a puzzle :)

 

I hit F8 (asus key) to choose which EFI drive to boot to, but my question is, will there be any potential issues with Emuvariable, Nvram.plist or CSR values crossing from drive to the other?

 

 

FYI you should only have one boot manager and it should be located on the systems main ESP. Real nvram is global and is intended to be system wide. With you using emulated nvram you can keep things separate but you also introduce confusion because you could be writing to real nvram and also loading emulated nvram from an nvram.plist..  We should always choose to use real nvram if its possible to be written to and you do have potential of conflicting values if using the emuvariable.  

  • Like 1
Link to comment
Share on other sites
CooSee
CooSee
Posted
Posted

FYI you should only have one boot manager and it should be located on the systems main ESP. Real nvram is global and is intended to be system wide. With you using emulated nvram you can keep things separate but you also introduce confusion because you could be writing to real nvram and also loading emulated nvram from an nvram.plist..  We should always choose to use real nvram if its possible to be written to and you do have potential of conflicting values if using the emuvariable.  

 

one bootloader for all ?!

 

what if the bootloader doesn't work after update and no chance to repair ?

 

i always install on each SSD and start my System with F12 and choose the OS.

 

1. Yosemite - chameleon

2. CCC Backup Yosemite and Data 

3. El Capitan - Clover

4. CCC Backup El Capitan

5. GenToo - Grub

 

NO Windows installed ;-)

 

greetings

Link to comment
Share on other sites
arsradu
arsradu
Posted
Posted

one bootloader for all ?!

 

what if the bootloader doesn't work after update and no chance to repair ?

 

i always install on each SSD and start my System with F12 and choose the OS.

 

1. Yosemite - chameleon

2. CCC Backup Yosemite and Data 

3. El Capitan - Clover

4. CCC Backup El Capitan

5. GenToo - Grub

 

NO Windows installed ;-)

 

greetings

Boot Manager, not boot loader.

 

And if it doesn't work, you boot from an USB installer/DVD etc.

  • Like 1
Link to comment
Share on other sites
blackosx
blackosx
Posted
Posted

Hello Blackosx

 

Are these values still valid now that OS X El Capitan 10.11 GM has been released? I've personally used 0x11 & 0x77 without any issues but didn't know if Apple might have changed the source again.

Hi Mrengles

 

The values shown in my post were for the SIP values set by each option of Apple's csrutil utility from the recovery partition with DP7. So on your PDF, the column titled Configuration should actually be Command, as it was the exact command to enter in Terminal to achieve the result.

 

The last entry on your PDF 'csrutil disabled (No Internal)' is not a real command and was in my original list under 'other settings' just to show that other values can be used, for example 0x03.

 

With regard to whether anything has changed, I believe the existing values remain unchanged though I recommend to check Pike's blog and posts here as I know he's mentioned a value of 80 recently. I haven't had time to conduct more tests so can't give confirmation right now.

 

Regards

  • Like 1
Link to comment
Share on other sites
chris1111
chris1111
Posted
Posted

Is there an issue with build 3270?

 

--

 

i'am new to Clover - first Time used with ElCap

 

and i can confirm there's a misbehaviour with 3270 & 3276 ( even re-compiled ),

 

but sometime the system won't start (no changes were made at all to config.plist or system).

 

after changing a theme i get a kernel panic with above mentioned versions.

 

only success with 3264.

 

--

 

OR MAYBE my system is little bit to old - it's time to get a 6 core ;-)

ESP Installation

 

are you selected this setting ? + your Driver

 

016.png

 

Copied your EFI folder on desktop before starting the program

and  verify each Folder driver after Clover installation

  • Like 1
Link to comment
Share on other sites
CooSee
CooSee
Posted
Posted

ESP Installation

 

are you selected this setting ? + your Driver

 

016.png

 

Copied your EFI folder on desktop before starting the program

and  verify each Folder driver after Clover installation

 

yes, exactly!

 

but it's not a big deal - yosemite is working perfect ( your fault )  :hysterical:

 

i must admit, i didn't read much about Clover  :blush:

 

it's time for me to get a NEW system - maybe i'll clone yours (GA Z87X-UD5H / i7 4770k) - no worries anymore in the future  :thumbsup_anim:

 

thanks for reply

  • Like 1
Link to comment
Share on other sites
smolderas
smolderas
Posted
Posted

@Slice:

 

I've noticed after updating to the newest r3277 (from r3228), that if one doesn't set the property CsrActiveConfig , clover will then set it to 0x67, which disables the entire SIP.

I think it is a security vulnerability. 

 

Wouldn't it be better to document the feature in the wiki and let the end user decide, if they want to disable SIP or not?

 
Sorry, if it has been already discussed...
Link to comment
Share on other sites
dreadkopp
dreadkopp
Posted
Posted

hey! i got two questions:

 

1:

 

here in post #10 slice talks about the possibility to set different settings for different cards but i don't quiet get it get it how i should alter my config.plist to use this?

 

i run three GPUs in my machine of which two need injection. right now i have do do the settings manually in clover at boot.

 

2:

 

clover is also able to boot linux which is great. but is there any way the pass more arguments to the kernel (aka bootflags?)

 

 

Cheers

Link to comment
Share on other sites
yuntimcgunti
yuntimcgunti
Posted
Posted

Just downloading the final version of El capitan after patiently waiting out the beta period.

 

I just wanted to check the key things I need to change from upgrading from a working Yosemite install:

 

I'm on clover version 3259 and my config.plist currently has only: `<key>RtVariables</key> <dict> <key>MLB</key> <string>C07039601ANDD17DV</string> <key>ROM</key> <string>78ca392e 3bb0</string> </dict>

I take it I need to add in the two additional keys  - booterconfig with string as 0x28 and csractiveconfig with the string as either 0x67 or 0x77. (but if I pick one of those values for csractiveconfig I'll still get some SIP error messages - is that right?) However if I make it 0x11 will those SIP messages disappear? Is the issue with going with 0x11 is that  it isn't advisable to copy kexts to /Library/extensions (does that makes things unstable?)

I only have a few kexts in EFI/Clover/kexts/10.10. AppleIntelE1000e.kext FakeSMC.kext NullCPUPowerManagement.kext realtekALC.kext (I take it these need to be copied to the 10.11 folder?)

I can see FakeSMC.kext in /System/Library/extensions - but none of the others (are these not being injected?)

Do I also need to turn off kext-dv-mode=1 boot option (or is it just ignored now? Any other things to be wary off?

Thanks.

 

Setup is

Intel core i5 4570

Gigabyte Z87m-D3h

Nvidia 780 ti

Link to comment
Share on other sites
arsradu
arsradu
Posted
Posted

Just downloading the final version of El capitan after patiently waiting out the beta period.

 

I just wanted to check the key things I need to change from upgrading from a working Yosemite install:

 

I'm on clover version 3259 and my config.plist currently has only: `<key>RtVariables</key> <dict> <key>MLB</key> <string>C07039601ANDD17DV</string> <key>ROM</key> <string>78ca392e 3bb0</string> </dict>

I take it I need to add in the two additional keys  - booterconfig with string as 0x28 and csractiveconfig with the string as either 0x67 or 0x77. (but if I pick one of those values for csractiveconfig I'll still get some SIP error messages - is that right?) However if I make it 0x11 will those SIP messages disappear? Is the issue with going with 0x11 is that  it isn't advisable to copy kexts to /Library/extensions (does that makes things unstable?)

I only have a few kexts in EFI/Clover/kexts/10.10. AppleIntelE1000e.kext FakeSMC.kext NullCPUPowerManagement.kext realtekALC.kext (I take it these need to be copied to the 10.11 folder?)

I can see FakeSMC.kext in /System/Library/extensions - but none of the others (are these not being injected?)

Do I also need to turn off kext-dv-mode=1 boot option (or is it just ignored now? Any other things to be wary off?

Thanks.

 

Setup is

Intel core i5 4570

Gigabyte Z87m-D3h

Nvidia 780 ti

 

You've got green light to update.

 

1. Move your kexts from Clover/kexts/10.10 to 10.11 (as you suspected). Or copy them if you're planning on keeping Yosemite and installing El Capitan on a different partition, but on the same HDD/SSD.

2. You don't need to add RT Variables. I think Clover will add them anyway on new installations. However, if you want to add them manually, yes 0x28 for BooterConfig and 0x67 for CsrActiveConfig will disable SIP enough to give access to pretty much everything. You can tweak that later on, don't worry about it. You can boot just as well with 0x28 and 0x1. So..yeah, just go ahead and update.

3. kext-dev-mode=1 is not needed in El Capitan (it's got SIP now). So if you're not planning on getting back to Yosemite, you can remove that with no problem.

4. you don't need copy anything to S/L/E. It's not needed. Clover injection works beautifully from EFI. Also, you should not have custom kexts in both places (S/L/E and Clover/kexts/10.x)

 

You can use Clover Configurator for a more user-friendly editing interface for your config.plist. Just make sure it's the latest version (I think 4.24 is the latest one.)

  • Like 1
Link to comment
Share on other sites
JorgeMax
JorgeMax
Posted
Posted

You've got green light to update.

 

1. Move your kexts from Clover/kexts/10.10 to 10.11 (as you suspected). Or copy them if you're planning on keeping Yosemite and installing El Capitan on a different partition, but on the same HDD/SSD.

2. You don't need to add RT Variables. I think Clover will add them anyway on new installations. However, if you want to add them manually, yes 0x28 for BooterConfig and 0x67 for CsrActiveConfig will disable SIP enough to give access to pretty much everything. You can tweak that later on, don't worry about it. You can boot just as well with 0x28 and 0x1. So..yeah, just go ahead and update.

3. kext-dev-mode=1 is not needed in El Capitan (it's got SIP now). So if you're not planning on getting back to Yosemite, you can remove that with no problem.

4. you don't need copy anything to S/L/E. It's not needed. Clover injection works beautifully from EFI. Also, you should not have custom kexts in both places (S/L/E and Clover/kexts/10.x)

 

You can use Clover Configurator for a more user-friendly editing interface for your config.plist. Just make sure it's the latest version (I think 4.24 is the latest one.)

 

Friend and the flag: "Rootless = 1", you will be required in the El Capitan yet?

Link to comment
Share on other sites
yuntimcgunti
yuntimcgunti
Posted
Posted

Brilliant thanks

 

- from your comment - "you should not have custom kexts in both places"  - Does that mean I should remove the FakeSMC.kext which is is /S/L/E and also in clover/kexts/10.x?

 

Yup I use clover configurator - it's handy. I'm on the 4.24 version but it doesn't seem to have an option (in boot?) for RT Variables -> BooterConfig and CsrActiveConfig.  Not a big deal as I can edit config.plist manually.

Link to comment
Share on other sites
arsradu
arsradu
Posted
Posted

- from your comment - "you should not have custom kexts in both places"  - Does that mean I should remove the FakeSMC.kext which is is /S/L/E and also in clover/kexts/10.x?

 

No, just keep your custom kexts in one place: Clover/kexts/10.x.  Not in Clover and also in S/L/E. But in one place only. And I would recommend that place to be in Clover's kexts folder.

 

Clover Configurator has a dedicated RtVariables section (separate from Boot). That's where you need to add those values.

Link to comment
Share on other sites
TheRacerMaster
TheRacerMaster
Posted
Posted

 

@Slice:

 

I've noticed after updating to the newest r3277 (from r3228), that if one doesn't set the property CsrActiveConfig , clover will then set it to 0x67, which disables the entire SIP.

I think it is a security vulnerability. 

 

Wouldn't it be better to document the feature in the wiki and let the end user decide, if they want to disable SIP or not?

 
Sorry, if it has been already discussed...

 

I agree, I think Clover should only automatically allow unsigned kexts by default (0x11 IIRC) only if the NVRAM variable csr-active-config doesn't exist (not the Clover CsrActiveConfig property).

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...