升级到Big Sur后,以写模式挂载root报错(SIP已disable)
sudo mount -uw /
mount_apfs: volume could not be mounted: Permission denied
mount: / failed with 66
Big Sur 新增了 Signed System Volume 机制,对系统所在的 APFS Volume 增加了更多的保护
Reboot into recovery mode and run:
csrutil authenticated-root disable
Reboot back into MacOS
Find your root mount's device - run mount and chop off the last s, e.g. if your root is /dev/disk1s5s1, you'll mount /dev/disk1s5
Create a new directory, for example ~/mount
Run:sudo mount -o nobrowse -t apfs /dev/disk1s5 ~/mount
Modify the files under the mounted directory
Run:sudo bless --folder MOUNT_PATH/System/Library/CoreServices --bootefi --create-snapshot
Reboot your system, and the changes will take place
缺点:
修改后,无法再启用SSV机制,但是可以启用SIP机制,因为系统已修改,导致签名不一致,若启用SSV,则校验失败,报错禁止启动。
csrutil enable
csrutil authenticated-root disable
Big Sur 引入的 Signed System Volume 机制会给 System APFS Volume 的每个文件 /文件夹都设置一份 hash,在 bootloader 启动后,加载内核前会进行完整性校验,校验不通过的话会拒绝引导,并提示用户重装 macOS 。使用 mount 查看挂载点会发现 /多了个 sealed 标志。系统默认会从 SSV snapshot 启动,对用户无感知。