How to disable SIP when Big Sur is installed in a VMware Fusion Player virtual machine

apple.stackexchange https://apple.stackexchange.com/questions/415086

Question

I have Big Sur installed in a VMware Fusion Player virtual machine. I desire to disable SIP. With an actual physical Mac, the usual method would involve first booting to internal macOS Recovery, then entering the command given below in a Terminal window.

csrutil disable

However, booting to internal macOS Recovery does not seem possible. The holding down the +R key combination at startup does not work. The Mac Startup Manager does not appear to exist. I can restart to firmware, but the Recovery volume does not have a boot.efi which can be chosen to boot from.

I realize the SIP setting is stored in the 4 byte NVRAM variable given below.

7C436110-AB2A-4BBB-A880-FE41995C9F82:csr-active-config

The firmware does allow booting to a built‑in EFI 1.0 shell. However, this shell does not appear to have any commands which can modify this variable. In fact, the variable does not even currently exist in the virtual machine NVRAM. I tried entering the command below in a macOS Terminal window.

 sudo nvram csr-active-config=%7f%00%00%00

The result was the error message given below.

nvram: Error setting variable - 'csr-active-config': (iokit/common) not permitted

What procedures can be used used to disable SIP?

I am using the current free version of VMware Fusion Player (Version 12.1.0).

Host Stats Guest Stats
iMac (21.5-inch, Late 2013) Mac
macOS Catalina version 10.15.7 macOS Big Sur version 11.2
Memory: 16 GB Memory: 4 GB
Quad-Core Intel Core i5 2 processor cores
2.9 GHz 2.76 GHz
USB 3 (5 Gb/s) Samsung T7 SSD SATA HDD

Below are a links to sites with procedures that either I could not get to work or only work with previous versions of macOS.

Can I initiate a MacOS restart to Recovery mode solely from the command line?
how to disable SIP (system integrity protection) in vmware fusion 12 for macOS big sur?

Was it helpful?

Solution

Follow the steps below to disable System Integrity Protection (SIP).

  1. Start by booting to macOS Big Sur and opening a Terminal application window. Next, enter the command given below. This will create a NVRAM variable with the desired value, but misspelled variable name. This misspelling will be corrected in a later step.

    sudo nvram Asr-active-config=%7f%00%00%00

  2. Shutdown macOS. In the Setting window for the virtual machine, select Startup Disk. Hold down the option key and select the Restart to Firmware… button, as shown below.

    Select the EFI Internal Shell, as shown below.

    If desired, enter the command below to get full use of the window.

    mode 128 40

  3. Set the current filesystem to the EFI volume. This should be the mapped fs0 filesystem, so you would enter the following

    fs0:

    Next, verify the label is EFI by entering the command below.

    vol

    If wrong, then try fs1:, fs2:, fs3:, ....

  4. Enter the command below to save the Asr-active-config variable to the file csr.bin.

    dmpstore Asr-active-config -s csr.bin

    Note: For more information on this command enter help -b dmpstore.

    Next, enter the command below to edit the csr.bin file. You will need to correct the spelling by replacing the letter A with the letter c. The can be done by typing a 63 over the 41 on the first line.

    hexedit csr.bin

    The corrected file will appear as shown below. When finished save the changes and exit.

    Note: The value of the variable is stored in the last 4 bytes of this file.

    Enter the command below to create the csr-active-config variable in NVRAM.

    dmpstore -l csr.bin

    SIP will now be disabled on the next boot of Big Sur. If desired, enter the command below to remove the Asr-active-config variable from NVRAM.

    dmpstore -d Asr-active-config

  5. Enter the command below to leave the command shell.

    exit

    From the Boot Manager, select Mac OS X to boot Big Sur.

Format of the csv.bin File

Offset in Hex Size in Decimal Description
00-03 4 Length of variable name
04-27 36 Variable name stored as null terminated UTF-16LE string
28-37 16 GUID of the variable
38-3B 4 Attributes stored as 4 byte integer (See below)
3C-3F 4 Length of the data
40-43 4 The 4 byte integer that comprises the data
Attribute Value Description
NV 1 Non-volatile
BS 2 Boot service Access
RT 4 Runtime Access
HR 8 Hardware Error Record

OTHER TIPS

While this answer does provide a method for disabling SIP, I consider the method to be overly complicated, if sole purpose is to disable SIP. Also, the time need to boot is longer than booting to an EFI or UEFI shell. However, if there are other tasks that also need to be performed from a macOS Recovery environment, then this method may be preferred over simpler methods.

On a actual Mac, SIP can be disabled by entering the command csrutil disable in a Terminal window while booted from a USB flash drive macOS installer. Apple has a website providing the instructions for creating this USB flash drive macOS installer. VMware Fusion Player does not offer virtual USB drives. However, a virtual second internal drive can be substituted. The steps needed to create this virtual drive are given below.

Note: For the better view of the images, either click on the image or open the image in a new window.

  1. Aquire the installer application: If the Install macOS Big Sur application does not already exist in the Applications folder on the host, then download the application or transfer a copy from another Mac. This answer assumes the macOS version is 11.2.

  2. Create the installer disk image: On the host, open the Disk Utility. From the Disk Utility menu bar, select File>New Image>Blank Image…. In the popup choose the following, the select the Save button.

    After the disk image creation operation completes successfully, select the Done button. Next, open a Terminal application window on the host and enter the command below.

    sudo /Applications/Install\ macOS\ Big\ Sur.app/Contents/Resources/createinstallmedia --volume /Volumes/MyVolume

    When finished creating the Install macOS Big Sur volume, use the Disk Utility to eject all disk images. Quit the Disk Utility and Terminal applications.

  3. Set up sharing: With the client shutdown, open the Sharing pane of the Settings for the client. Check off the box labeled Enable Shared Folders and add your Desktop folder, as shown below.

  4. Create new internal HDD: With the client still shutdown, add a new hard disk. Use the settings shown below.

  5. Separate the new HDD from the client: This is an optional step which is useful if you what to share the new HDD with other virtual machines.

    Note: This sharing assumes only one client at a time with be using this drive. Otherwise, this drive should be mounted read-only. (This may be possible by editing the /etc/fstab file.

    First, remove the new HDD from the client. When the pop below appears, select the Keep File button.

    Use the Finder application to move the Virtual Disk 2.vmdk file from the client folder to the parent folder named Virtual Machines. Next, rename the file to BigSur11.2Installer.vmdk. Finally, add this new HDD to the client as an existing HDD. When selecting the file, be sure the Share this virtual disk with the virtual machine that created it button is selected, as shown below.

  6. Initialize the new HDD: Start up the client virtual machine. When the popup below appears, select the Initialize… button. The Disk Utility application should open.

    Highlight the new uninitialized VMware Virtual SATA Hard Drive Media and then select the Erase button. Make the selections shown below, then select the Erase button.

    Quit the Disk Utility.

  7. Install VMware Tools: If VMware Tools is already installed, then skip to the next step. From the VMware Fusion menu bar, select Virtual Machine>Install VMware Tools. Proceed to install. If either of the two windows below requests a Restart, do not do so.

    The system software from developer "VMware, Inc." will be blocked from loading. You should select the Allow button from the Security & Privacy pane of System Preferences, when this happens. Afterwards, when the window shown below requests a Restart, then you should do so.

  8. Restore to the new drive: From the client, open your Desktop folder stored on the host, then open the BigSur11.2Installer.dmg file. On the client, open the Disk Utility application and highlight the MyVolume volume. From the top of the Disk Utility window, select Restore. In the popup, select to restore from Install macOS Big Sur, then select the Restore button.

    Note: On my Mac, the restore took about 8 minutes.

    When finished, select the Done button. From the Disk Utility, eject the Disk image with the Install macOS Big Sur volume, then quit the Disk Utility. Close any open Finder windows.

  9. Cleanup: From the host, move the BigSur11.2Installer.dmg file from your Desktop folder to the Trash. If desired, restore Shared Folders to its original state.

To boot from new macOS installer drive, take the following steps.

  1. Shutdown the client.
  2. From the host, open the Startup Disk pane of the Settings for the client.
  3. Highlight the HDD icon labeled Hard Disk 2 (SATA).
  4. Select the Restart… button.

This answer relies on having first installed an UEFI Shell v2.2. See this answer for instructions on how to use rEFInd to invoke an UEFI shell.

Choose one of two bulleted procedures below to install the csrutil UEFI shell alias.

  • Enter the command below in a UEFI shell. Since this alias is nonvolatile, the command will only needed to be entered once.

     alias csrutil "setvar csr-active-config -nv -rt -bs -guid 7C436110-AB2A-4BBB-A880-FE41995C9F82"

  • Install the startup.nsh file as described in the referenced answer. This script will create a volatile form of alias shown above each time a UEFI shell is invoked.

To modify the System Integrity Protection configuration, enter the commands in the "UEFI Shell Equivalent" column below in a UEFI shell.

macOS Command UEFI Shell Equivalent Description
csrutil clear csrutil = Clear the existing configuration.
csrutil disable csrutil =0x0000007f Disable the protection on the machine.
csrutil enable csrutil =0x00000010 Enable the protection on the machine.
csrutil status csrutil Display the current configuration.

Note: Once the csr-active-config variable is set, you can enable/disable SIP directly from rEFInd.

The bits of the csr-active-config variable are defined in the csr.h file. A version of this file can be found in opensource.apple.com. This developer.apple.com thread defines some additional csrutil arguments for the enable command. The relationship between these bits and select csrutil commands and arguments is given in the table below for macOS Big Sur version 11.2.

csrutil
commands
with
optional
arguments		 csr-
active-
config		 CSR_
ALLOW_
UNTRUSTED_
KEXTS
=0x001		 CSR_
ALLOW_
UNRESTRICTED_
FS
=0x002		 CSR_
ALLOW_
TASK_
FOR_
PID
=0x004		 CSR_
ALLOW_
KERNEL_
DEBUGGER
=0x008		 CSR_
ALLOW_
APPLE_
INTERNAL
=0x010		 CSR_
ALLOW_
UNRESTRICTED_
DTRACE
=0x020		 CSR_
ALLOW_
UNRESTRICTED_
NVRAM
=0x040		 CSR_
ALLOW_
DEVICE_
CONFIGURATION
=0x080		 CSR_
ALLOW_
ANY_
RECOVERY_
OS
=0x100		 CSR_
ALLOW_
UNAPPROVED_
KEXTS
=0x200		 CSR_
ALLOW_
EXECUTABLE_
POLICY_
OVERRIDE
=0x400
enable 0x00000010
enable ‑‑no‑internal 0x00000000
enable ‑‑without
kext		 0x00000019
enable ‑‑without
fs		 0x00000012
enable ‑‑without
debug		 0x00000012
enable ‑‑without
dtrace		 0x00000030
enable ‑‑without
nvram		 0x00000050
disable 0x0000007F

 

Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange
scroll top