What sucks is that you can't disable SIP without _also_ disabling disk encryption ("FileVault"), because Apple changed from full disk encryption to only encrypting user data, and relying on SIP and crypto hashes to protect the system partition. Therefore, you can't "safely" disable SIP, as you'd be able to boot into recovery mode and perform an evil maid attack.
This is really irritating, both that:
- I can't "accept the risk" and force disk encryption anyway. This may be technically possible if you bludgeon the OS enough, but it's definitely not something the built in CLI tooling supports.
- I can't use the old full disk encryption mode. Presumably, this code does or did still exist somewhere, but isn't supported because it's not used in any supported configuration.
So you're left with the option of having no disk encryption on your laptop, or having SIP.
EDIT: I'm thinking of SSV, not SIP per se. But when it comes to disabling the built-in launchd services like Spotlight, you have to disable SSV to do so, and that requires disabling FileVault.
alt Hacker News
What sucks is that you can't disable SIP without _also_ disabling disk encryption ("FileVault"), because Apple changed from full disk encryption to only encrypting user data, and relying on SIP and crypto hashes to protect the system partition. Therefore, you can't "safely" disable SIP, as you'd be able to boot into recovery mode and perform an evil maid attack.
This is really irritating, both that:
- I can't "accept the risk" and force disk encryption anyway. This may be technically possible if you bludgeon the OS enough, but it's definitely not something the built in CLI tooling supports.
- I can't use the old full disk encryption mode. Presumably, this code does or did still exist somewhere, but isn't supported because it's not used in any supported configuration.
So you're left with the option of having no disk encryption on your laptop, or having SIP.
EDIT: I'm thinking of SSV, not SIP per se. But when it comes to disabling the built-in launchd services like Spotlight, you have to disable SSV to do so, and that requires disabling FileVault.