Re-enable SIP and FileVault

[robbash]

Hey,

thanks for the tool, I did those steps all manually though. All looks good after my changes.

BUT:
Have you achieved to re-enable SIP and FileVault? I'm on an M1. Trying to re-enable SIP results in "failed to set system integrity configuration in boot policy". Similar error message on trying csrutil clear.

Any ideas?

Cheers

[ink-splatters]

@robbash after tampering system volume and breaking the seal boot is possible thanks to creating new bootable snapshot. but integrity check indeed fails, so SIP can't be fully enabled, unless volume is sealed again. I don't know clear way to re-seal volume, but apparently installer does that, probably there might be answers at Dortania (OpenCore Legacy Patcher),

I'm not sure if they manage to re-seal the volume, but at least, forcing FireVault2 to work with broken seal is mentioned in their code base:

https://github.com/dortania/OpenCore-Legacy-Patcher/blob/0d402c4dba376cf09f258f4ac8335479ebb172bb/resources/defaults.py#L64

[ink-splatters]

Couple of questions to the @fxgst:

1. Why C executable when using just shell commands? (sorry if miss particular reason)
2. I found the recommendation regarding enabling FireVault2 (and SIP) misleading: there is no clear way to enable FireVault2 (except for my digging thru OpenCore patcher source, that still is to be verified!), and no way (at all, AFAIK) to enable SIP (all bits) after modifying the volume. Or did you manage to workaround that, e.g. by running the command which is run by macOS installer (to actually seal volumes)?

Thanks!

4. did you indeed achieve this on unsealed volume? Otherwise the recommendation would sound