Drop CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE usage

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## 0.3.1
 - Allow for setting custom SIP values via TUI
+- Drop `CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE` requirement for root patching
+  - Lowers default SIP Disabled value to 0xA03
 
 ## 0.3.0
 - Fix Nvidia Tesla Acceleration in Monterey Beta 7+

data/sip_data.py

@@ -22,14 +22,17 @@ class system_integrity_protection:
         "CSR_ALLOW_UNTRUSTED_KEXTS",  #            0x1
         "CSR_ALLOW_UNRESTRICTED_FS",  #            0x2
         "CSR_ALLOW_UNAPPROVED_KEXTS",  #           0x200
-        "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",  # 0x400
     ]
 
     root_patch_sip_big_sur = [
         # Variables required to root patch in Big Sur and Monterey
         "CSR_ALLOW_UNTRUSTED_KEXTS",  #            0x1
-        "CSR_ALLOW_UNRESTRICTED_FS",  #            0x2
+        "CSR_ALLOW_UNRESTRICTED_FS",  #            0x2   - Required to mount and edit root volume, as well as load modded platform binaries
         "CSR_ALLOW_UNAPPROVED_KEXTS",  #           0x200
-        "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",  # 0x400
+        "CSR_ALLOW_UNAUTHENTICATED_ROOT",  #       0x800 - Required to avoid KC mismatch kernel panic
-        "CSR_ALLOW_UNAUTHENTICATED_ROOT",  #       0x800
     ]
+
+    # CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE (introduced with Mojave):
+    # This bit is quite strange and was originally assumed to be required for modded platform binaries
+    # However after extensive testing, this doesn't seem true. In addition, this bit is never flipped via
+    # 'csrutil disable'. Usage within the kernel is not present.

resources/build.py

@@ -697,7 +697,7 @@ class BuildOpenCore:
             self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = utilities.string_to_hex(self.constants.custom_sip_value.lstrip("0x"))
         elif self.constants.sip_status is False:
             print("- Disabling SIP")
-            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("030E0000")
+            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("030A0000")
         # if self.constants.amfi_status is False:
         #     print("- Disabling AMFI")
         #     self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"

resources/cli_menu.py

@@ -162,7 +162,7 @@ Note: For security reasons, OpenShell will be disabled when Vault is set.
         print(
             f"""SIP is used to ensure proper secuirty measures are set,
 however to patch the root volume this must be disabled.
-Only disable is absolutely necessary. SIP value = 0xE03
+Only disable is absolutely necessary. SIP value = 0xA03
 
 Valid options:
 
@@ -773,7 +773,7 @@ the event there's issues.
         print(
             """
 By default OCLP will use the SIP value of 0x00 as the enabled and
-0xE03 for machines that require root patching. For users who wish
+0xA03 for machines that require root patching. For users who wish
 to flip additional bits in SIP may use this option.
 
 To disable SIP outright, set it to 0xFEF

resources/sys_patch.py

@@ -818,7 +818,7 @@ set million colour before rebooting"""
             sip_value = "For Hackintoshes, please set csr-active-config to '03060000' (0x603)\nFor non-OpenCore Macs, please run 'csrutil disable' in RecoveryOS"
         else:
             sip_value = (
-                "For Hackintoshes, please set csr-active-config to '030E0000' (0xE03)\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
+                "For Hackintoshes, please set csr-active-config to '030A0000' (0xA03)\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
             )
         self.sip_enabled, self.sbm_enabled, self.amfi_enabled, self.fv_enabled, self.dosdude_patched = utilities.patching_status(sip, self.constants.detected_os)
         if self.sip_enabled is True: