From 86a7e306f633c699d5eba0c7e4737c976052dc11 Mon Sep 17 00:00:00 2001
From: neon ball <35791009+ParaDoX1994@users.noreply.github.com>
Date: Mon, 22 Jul 2024 00:08:26 +0300
Subject: [PATCH] Improve SIP documentation

Previous one was a bit of a jumbled mess, added some cohesiveness and version based information
---
 docs/POST-INSTALL.md | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/docs/POST-INSTALL.md b/docs/POST-INSTALL.md
index fe5ce9bd1..4e9f792a8 100644
--- a/docs/POST-INSTALL.md
+++ b/docs/POST-INSTALL.md
@@ -2,6 +2,7 @@
 
 * [Booting without USB drive](#booting-without-usb-drive)
 * [Booting seamlessly without Boot Picker](#booting-seamlessly-without-boot-picker)
+* [SIP settings](#sip-settings)
 * [Applying Post Install Volume Patches](#applying-post-install-volume-patches)
 
 ## Booting without USB drive
@@ -24,23 +25,39 @@ To do this, run the OpenCore Patcher and head to Patcher Settings, then uncheck
 
 Once you've toggled it off, build your OpenCore EFI once again and install to your desired drive. Now to show the OpenCore selector, you can simply hold down the "ESC" key while clicking on EFI boot, and then you can release the "ESC" key when you see the cursor arrow at the top left.
 
-## Enabling SIP
+## SIP settings
 
-For many users, SIP will be lowered by default on build. For Intel HD 4000 users, you may have noticed that SIP is partially disabled. This is to ensure full compatibility with macOS Monterey and allow seamless booting between it and older OSes. However for users who do not plan to boot Monterey, you can re-enable under Patcher Settings.
+SIP, or System Integrity Protection, needs to be lowered on systems where root patching is required to patch data on disk. This will vary between OS versions and the model in question. OCLP by default will determine the proper SIP options for the OS version and Mac model, in most cases the user has no need to touch these settings. However, this part explains how the SIP settings work in OCLP, where lowered SIP is needed and where full SIP could be enabled.
 
-Note: Machines running macOS Ventura or systems with non-Metal GPUs cannot enable SIP outright, due to having a patched root volume. Enabling it will brick the installation.
+In the cases where SIP can be enabled, manually enabling it is needed.
 
-Going forward with 0.6.6, SIP settings can be accessed from the Security tab shown in the images.
+:::warning
+
+If you're unsure whether you should change the SIP settings, leave them as-is. Systems where you have already ran the Post Install Root Patching cannot enable SIP without potentially breaking the current install.
+
+:::
+
+SIP settings can be accessed from the Security tab shown in the images. To change SIP settings, make the changes here, return in main menu and rebuild OpenCore using the first option.
 
 | SIP Enabled | SIP Lowered (Root Patching) | SIP Disabled |
 | :--- | :--- | :--- |
 | ![](./images/OCLP-GUI-Settings-SIP-Enabled.png) | ![](./images/OCLP-GUI-Settings-SIP-Root-Patch.png) | ![](./images/OCLP-GUI-Settings-SIP-Disabled.png) |
 
-:::warning
 
-If you're unsure whether you should enable SIP, leave it as-is. Systems where you have already ran the Post Install Root Patching cannot enable SIP without potentially breaking the current install.
+### Ventura and newer
 
-:::
+In Ventura and newer, all unsupported systems require lowered SIP due to root patching required, where data on the system volume is patched.
+
+### Monterey
+
+In Monterey, majority of unsupported systems from 2013 forward can enable full SIP, due to root patches not being required. 
+Pre-2012 systems, also known as "non-Metal" (includes Mac Pros without upgraded GPU), as well as NVIDIA Kepler and Intel HD 4000 GPUs will require root patching, which requires lowered SIP.
+
+Some systems such as Mac Pros also require root patching for stock WiFi cards but if you do not need WiFi or you plan to upgrade the card, there is no need for root patching and as such SIP can be fully enabled.
+
+### Big Sur
+
+Majority of unsupported systems can run with full SIP enabled, as root patching is not required. Non-Metal still requires root patching and lowered SIP.
 
 ## Applying Post Install Volume Patches