by Roderick W. Smith, rodsmith@rodsbooks.com
Originally written: 11/8/2015; last Web page update:3/13/2020, referencing rEFInd 0.12.0
This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
Client Based Testing This link will download a small.exe agent that can test for the presence of a SIP ALG on the network the host PC is connected to. After downloading, open the file and accept any permissions your windows/mac machine may ask for. If the results = False then a SIP ALG was not detected by the client. SIP-ALG-Detector is an utility to detect routers with SIP ALG enabled. It comes with a client and a server: The client is executed in a host into the private LAN. The server runs in a server with public IP. SIP test tools give you the ability to perform a load test on your phone system, sending thousands of calls using the SIP protocol with nothing more than a standard PC. It is a very inexpensive way to test your system, you don't even need an actual phone.
Donate $1.00 | Donate $2.50 | Donate $5.00 | Donate $10.00 | Donate $20.00 | Donate another value |
Aug 01, 2018 There are two ways to check System Integrity Protection status; by using the command line, and by using the System Information profiler tool. This article will show you both methods to see how to determine if System Integrity Protection / SIP is enabled or disabled on a Mac. SIPp is a free Open Source test tool / traffic generator for the SIP protocol. It includes a few basic SipStone user agent scenarios (UAC and UAS) and establishes and releases multiple calls with the INVITE and BYE methods. It can also reads custom XML scenario files describing from very simple to complex call flows.
This page is part of the documentation for the rEFInd boot manager. If a Web search has brought you here, you may want to start at the main page.
Apple's macOS 10.11 (aka El Capitan) added a new feature, known as System Integrity Protection (SIP), aka 'rootless' mode. This feature causes some consternation for advanced users, because it restricts what you can do with your computer, even as root. This page is dedicated to this new feature, including basic information on why SIP exists, how to install rEFInd on a computer with SIP enabled, and how to use rEFInd to manage SIP. Note that if you've come here for help installing rEFInd on a Mac with SIP enabled, you can click to one of the methods in the 'Contents' box to the left of this paragraph. I recommend trying Recovery mode first; but if you have reason to try another method, you can do so.
To understand SIP, you should first know that Unix-like systems, including macOS, have traditionally provided a model of security in which ordinary users can read and write their own files (word processor documents, digital photos, etc.), but cannot write to system files (programs, system configuration files, etc.)—and users cannot even read some system files. This system security model has worked well for decades on traditional Unix systems, which have been administered by computer professionals and used by individuals with less experience. For administrative tasks, the root account is used. On Macs, this access is generally granted by the sudo command or by various GUI tools. Most Macs, in contrast to traditional Unix mainframes and minicomputers from the 20th century, are single-user computers that are administered by their users. Such people often lack the knowledge of the professional system administrators who have traditionally managed Unix systems; but they must still perform system administration tasks such as installing new software and configuring network settings. MacOS has always provided some measure of security by requiring users to enter their passwords before performing these dangerous tasks, and by providing GUI tools to help guide users through these tasks in a way that minimizes the risk of damage.
Apple has apparently decided that these safeguards are no longer sufficient, at least for certain tasks, such as writing files to certain system directories and installing boot loaders. I won't try to speak for Apple or explain their motivations, but the result of Apple's decisions is SIP. With SIP active, as is the default, macOS 10.11 and later limits your ability to perform some of these administrative tasks. You can still install and remove most third-party programs, configure your network, and so on; but some critical directories can no longer be written, even as root, and some utilities cannot be used in certain ways, even as root. These restrictions impact rEFInd because one of the affected tools, a command called bless, is required to tell the Mac to boot rEFInd rather than to boot macOS directly.
The end result of SIP is that rEFInd cannot be installed under macOS 10.11 and later in the way described on the Installing rEFInd page—at least, not without first booting into Recovery mode, in which SIP restrictions are ignored; or disabling SIP (either temporarily or permanently). This page covers these two options in more detail, as well as a third: Using another OS to install rEFInd.
Unless you've deleted it, the Recovery HD partition should be present on your Mac as a way to perform emergency recovery operations. The nature of this tool means that SIP cannot be enabled when using it, so you can install rEFInd from a boot to this partition. The trouble is that this installation is not a full-fledged macOS system, so you may have trouble using it if you're not comfortable with such a bare-bones environment. Nonetheless, it is a good way to install rEFInd on a Mac that runs macOS 10.11 or later. To do so, follow these steps:
At this point, rEFInd should come up and enable you to boot into macOS and any other OS(es) that are already installed. You should not need to perform these steps again unless macOS re-installs its own boot loader or a subsequent OS installation overrides the default boot option. You can install an updated rEFInd from within your regular macOS system and it should install correctly, provided you're installing it to the EFI System Partition (ESP). The refind-install script may complain about a failure, but because you're overwriting one rEFInd binary with another one, it should continue to boot. (If you installed rEFInd to an HFS+ partition, though, replacing the original file will require using bless to tell the firmware about the change, so updating such an installation probably won't work with SIP active.)
Another option is to disable SIP for your regular boot. This is a viable option if you're an expert who needs regular access to tools with which SIP interferes, such as low-level disk utilities. Regular users should probably avoid this option unless the preceding procedure does not work—and in that case, you should disable SIP temporarily and then re-enable it when you've finished installing rEFInd. On this page, I describe two methods of disabling SIP: using macOS's Recovery HD system and using rEFInd on CD-R or USB flash drive.
You can use the Recovery HD, as in the previous procedure, to disable SIP. To do so, boot it and launch a Terminal window, as described in the previous section. Instead of locating and running the refind-install script, though, you should type:
This command will disable SIP for all OSes that honor this setting. (In theory, multiple versions of macOS might be installed on a single computer, and all of them that support SIP should honor the SIP settings. To the best of my knowledge, no non-Apple OS honors SIP settings, although that could change.)
Once you've typed this command, you can reboot the computer. When you return to your regular macOS installation, SIP should be disabled and rEFInd should install normally, as described on the Installing rEFInd page. You will also be able to use disk partitioning tools like my GPT fdisk, write to directories that are normally off-limits, and so on. Note that disabling SIP does not disable normal Unix-style protections—you'll still need to use sudo (or enter your password in a GUI dialog box) to acquire root privileges to perform these system-administration tasks. You'll be no less safe with SIP disabled under macOS 10.11 or later than you would be with macOS 10.10 or earlier; you simply won't have its added protections against user error or malicious software.
If you want to re-enable SIP, you can do so in exactly the way you disabled it, except that you should type csrutil enable rather than csrutil disable in the Recovery environment.
As described later on this page, rEFInd 0.10.0 and later provide SIP control features, but they're disabled by default—except on the USB flash drive and CD-R images available from the rEFInd downloads page. On these images, the SIP control features are enabled, and can toggle between the two main modes you can set via csrutil enable and csrutil disable/how-to-delete-trial-software-registry-locations.html. in the Recovery HD system. Thus, to disable SIP to install rEFInd, you can:
Once you install rEFInd, you can leave SIP enabled, enable your newly-installed rEFInd's SIP features and use them to disable SIP, or boot again from your external rEFInd to disable SIP.
This procedure has the advantage of being a bit quicker than using the Recovery HD—at least, if you've already got rEFInd 0.10.0 or later on an external medium. It will also work if your Recovery HD installation is missing or broken. On the other hand, it's probably easier to boot to the Recovery HD once or twice than to download and prepare a rEFInd boot medium. Also, some Macs are a little flaky when it comes to booting from external media, so you may have trouble booting in this way. Finally, if you don't already have rEFInd on an external medium and if you don't have an optical drive, writing a USB flash drive with dd carries a small risk of accidentally trashing your hard disk, particularly if you're unfamiliar with disk devices and dd.
A final option for installing rEFInd on a Mac that runs with SIP enabled is to do the installation using another OS. This other OS could be an OS that's already installed or an emergency boot disk, such as an Ubuntu installation/recovery system.
If you follow this path, you'll need to know something about how to boot and use your non-Apple OS. The options are quite varied, so I can't provide every detail; however, I do have a few tips:
I've tested this method of installing rEFInd on my MacBook Air (purchased in late 2014) and on my first-generation 32-bit Mac Mini, but I can't promise it will work on all Macs—or even on a Mac that's identical to one of mine but with a configuration that's different from mine. This installation method has worked well for me, and reports I've seen recently suggest it works fine for many others, too. On the other hand, in the past (mid-2010s and earlier), this method was less reliable. I assume that improvements to Linux kernels and efibootmgr have rendered this method more reliable, so I recommend using the latest Linux (or other OS) version you can find if you want to use this method.
Once rEFInd is installed, you can use it to manage SIP features; however, the rEFInd features needed to do this are disabled by default. You must uncomment or add two lines to your refind.conf file:
Note that both of these options must be set appropriately. If either of them is missing or misconfigured, rEFInd will not display the SIP tool. A typical configuration using these features might look like this:
Once these options are set and you reboot into rEFInd, you should see a new shield icon on the second row, as shown at the right. When you select this tool, rEFInd identifies the next available CSR value from the list you specified and switches to that mode, rotating back to the start of the list once the end is reached. To confirm that the SIP mode has changed, rEFInd displays, for three seconds, a message identifying the new mode.
Whether or not you've enabled these SIP features in refind.conf, rEFInd displays the current SIP status on its 'About' page:
Note the line that reads 'System Integrity Protection is disabled (0x77)' (highlighted in this screen shot). This line will be updated whenever you use the CSR rotation tool, so if you've specified a large number of values and have forgotten where you are in your rotation, you can use the About screen to figure it out.
If your Mac doesn't yet run macOS 10.11, rEFInd claims that SIP is enabled in the 'About' screen. If you set the showtools and csr_values options as described earlier, you can adjust the SIP settings on such a Mac, but this will have no effect because neither pre-10.11 version of macOS nor any other OS honors these settings. On UEFI-based PCs, rEFInd won't display SIP status unless you store the csr-active-config NVRAM variable in some way. If you do, rEFInd will enable you to adjust it, but it won't have any effect on the OSes most commonly found on UEFI-based PCs.
I provide these features in rEFInd as a convenience for developers and other advanced users who have a need to adjust their SIP settings. Using rEFInd for this purpose is much faster than booting into the macOS Recovery system to make these adjustments. I discourage others from playing with these settings, since changing them inappropriately could cause problems; that's why they're not enabled in rEFInd by default.
Although the goal of increased security is a good one, SIP is causing problems for intermediate and advanced users. The good news is that the process to install rEFInd on a system that runs macOS 10.11 or later, although more complex than it used to be, is not an impossible one. Furthermore, once you've done it, you shouldn't have to do it again for a while. (An update to macOS's boot loader is entirely possible, though. If nothing else, the next major macOS update may require re-installing rEFInd.) For advanced users, rEFInd can adjust SIP settings, which can be helpful if you occasionally want to do something that require greater-than-typical privileges.
copyright © 2015–2020 by Roderick W. Smith
This document is licensed under the terms of the GNU Free Documentation License (FDL), version 1.3.
If you have problems with or comments about this Web page, please e-mail me at rodsmith@rodsbooks.com. Thanks.
Return to my main Web page.