OSX: rEFIt is working with SIP enabled!

root's picture

I don't remember exactly when I have installed rEFIt (I did it only once) but I know I am using it without any problems since around 2006 and it went trough 2 laptops and several OSX versions already. The beauty of OSX upgrades and Time Machine.

After installing El Capitan, I was still using it without problems (well, just a small one but no biggie - will be mentioned a bit later), but also with SIP enabled! Will explain about SIP too.

The small problem with rEFIt and El Capitan

So, the small problem regarding rEFIt is: each time I get OSX updates I have to bless it because my shiny boot menu disappears. I have done this several times already as I was getting used to it, until today when I wondered if there is maybe a newer version which could get me past this tiny problem.

rEFIt is dead, long live rEFInd!

My surprise was to find out rEFIt is no longer maintained and I still have the newest version (0.14). On their website I also found out there is a fork called rEFInd which is under active development. Naturally I visited them and learned they have problems with SIP.

What is SIP then?

SIP (System Integrity Protection) is the new feature of El Capitan: "a security technology in OS X El Capitan that's designed to help prevent potentially malicious software from modifying protected files and folders on your Mac." (quoting Apple).

In a nutshell, it prevents everyone (I mean everyone, including root!!!) to alter the following paths:

Apps that are pre-installed with OS X

As any admin would do, I fired up the terminal and did some tests:

flmbp:usr root# whoami
flmbp:~ root# cd /System/
flmbp:System root# touch a
touch: a: Operation not permitted
flmbp:System root# pwd
flmbp:System root# cd /usr
flmbp:usr root# touch a
touch: a: Operation not permitted

Wow, that is wicked! In a good way :)

Also, it (and again quoting Apple) "helps prevent software from changing your startup volume. To boot your Mac from a different volume, you can use the Startup Disk pane in System Preferences or you can hold down the Option key while you reboot, and select a volume from the list.

So you will probably have problems installing rEFIt and rEFInd but once you got them installed, no problems! Well, I am keeping rEFIt even with that tiny problem described above. I can live with. I am too lazy to go into recovery mode, disable SIP, install rEFInd and then go back into recovery mode and enable SIP.

How to find out if you have SIP enabled (it should be since you have El Capitan):
flmbp:refit florian$ sudo csrutil status
System Integrity Protection status: enabled.
And the bless command for rEFIt:
flmbp:refit florian$ sudo ./enable.sh 
+ sudo bless --folder /efi/refit --file /efi/refit/refit.efi --labelfile /efi/refit/refit.vollabel

Of course, in case you are wondering, after this execution I have the beautiful rEFIt menu at boot.

I have to end with something

If you are thinking to disable SIP, you can do so but only in recovery mode, as mentioned also in the csrutil's help. However, I would leave it enabled.

flmbp:refit florian$ sudo csrutil  
usage: csrutil <command>
Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine.
Available commands:

        Clear the existing configuration. Only available in Recovery OS.
        Disable the protection on the machine. Only available in Recovery OS.
        Enable the protection on the machine. Only available in Recovery OS.
        Display the current configuration.

        add <address>
            Insert a new IPv4 address in the list of allowed NetBoot sources.
            Print the list of allowed NetBoot sources.
        remove <address>
            Remove an IPv4 address from the list of allowed NetBoot sources.

rEFit: http://refit.sourceforge.net/
rEFInd: http://www.rodsbooks.com/refind
Apple - About System Integrity Protection on your Mac: https://support.apple.com/en-us/HT204899

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself! Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.