From 5f07e9ffd98e70cfd53bcb81ec4f3c89f3b9f0a6 Mon Sep 17 00:00:00 2001
From: Mykola Grymalyuk <khronokernel@icloud.com>
Date: Sun, 17 Oct 2021 15:48:08 -0600
Subject: [PATCH] Drop CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE usage

---
 CHANGELOG.md           |  2 ++
 data/sip_data.py       | 11 +++++++----
 resources/build.py     |  2 +-
 resources/cli_menu.py  |  4 ++--
 resources/sys_patch.py |  2 +-
 5 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 824c68424..a3a3b8214 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## 0.3.1
 - Allow for setting custom SIP values via TUI
+- Drop `CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE` requirement for root patching
+  - Lowers default SIP Disabled value to 0xA03
 
 ## 0.3.0
 - Fix Nvidia Tesla Acceleration in Monterey Beta 7+
diff --git a/data/sip_data.py b/data/sip_data.py
index 7e174c849..c79ba3637 100644
--- a/data/sip_data.py
+++ b/data/sip_data.py
@@ -22,14 +22,17 @@ class system_integrity_protection:
         "CSR_ALLOW_UNTRUSTED_KEXTS",  #            0x1
         "CSR_ALLOW_UNRESTRICTED_FS",  #            0x2
         "CSR_ALLOW_UNAPPROVED_KEXTS",  #           0x200
-        "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",  # 0x400
     ]
 
     root_patch_sip_big_sur = [
         # Variables required to root patch in Big Sur and Monterey
         "CSR_ALLOW_UNTRUSTED_KEXTS",  #            0x1
-        "CSR_ALLOW_UNRESTRICTED_FS",  #            0x2
+        "CSR_ALLOW_UNRESTRICTED_FS",  #            0x2   - Required to mount and edit root volume, as well as load modded platform binaries
         "CSR_ALLOW_UNAPPROVED_KEXTS",  #           0x200
-        "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",  # 0x400
-        "CSR_ALLOW_UNAUTHENTICATED_ROOT",  #       0x800
+        "CSR_ALLOW_UNAUTHENTICATED_ROOT",  #       0x800 - Required to avoid KC mismatch kernel panic
     ]
+
+    # CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE (introduced with Mojave):
+    # This bit is quite strange and was originally assumed to be required for modded platform binaries
+    # However after extensive testing, this doesn't seem true. In addition, this bit is never flipped via
+    # 'csrutil disable'. Usage within the kernel is not present.
\ No newline at end of file
diff --git a/resources/build.py b/resources/build.py
index 1ee5d051b..ac24d46d0 100644
--- a/resources/build.py
+++ b/resources/build.py
@@ -697,7 +697,7 @@ class BuildOpenCore:
             self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = utilities.string_to_hex(self.constants.custom_sip_value.lstrip("0x"))
         elif self.constants.sip_status is False:
             print("- Disabling SIP")
-            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("030E0000")
+            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("030A0000")
         # if self.constants.amfi_status is False:
         #     print("- Disabling AMFI")
         #     self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"
diff --git a/resources/cli_menu.py b/resources/cli_menu.py
index f878b2259..61101e529 100644
--- a/resources/cli_menu.py
+++ b/resources/cli_menu.py
@@ -162,7 +162,7 @@ Note: For security reasons, OpenShell will be disabled when Vault is set.
         print(
             f"""SIP is used to ensure proper secuirty measures are set,
 however to patch the root volume this must be disabled.
-Only disable is absolutely necessary. SIP value = 0xE03
+Only disable is absolutely necessary. SIP value = 0xA03
 
 Valid options:
 
@@ -773,7 +773,7 @@ the event there's issues.
         print(
             """
 By default OCLP will use the SIP value of 0x00 as the enabled and
-0xE03 for machines that require root patching. For users who wish
+0xA03 for machines that require root patching. For users who wish
 to flip additional bits in SIP may use this option.
 
 To disable SIP outright, set it to 0xFEF
diff --git a/resources/sys_patch.py b/resources/sys_patch.py
index ce825f1cd..2d8caa3c0 100644
--- a/resources/sys_patch.py
+++ b/resources/sys_patch.py
@@ -818,7 +818,7 @@ set million colour before rebooting"""
             sip_value = "For Hackintoshes, please set csr-active-config to '03060000' (0x603)\nFor non-OpenCore Macs, please run 'csrutil disable' in RecoveryOS"
         else:
             sip_value = (
-                "For Hackintoshes, please set csr-active-config to '030E0000' (0xE03)\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
+                "For Hackintoshes, please set csr-active-config to '030A0000' (0xA03)\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
             )
         self.sip_enabled, self.sbm_enabled, self.amfi_enabled, self.fv_enabled, self.dosdude_patched = utilities.patching_status(sip, self.constants.detected_os)
         if self.sip_enabled is True: