亚马逊云科技（AWS）宣布，开发者现在可以在其Amazon EC2 Mac实例上通过编程方式禁用Apple的系统完整性保护（SIP）。SIP是macOS中的一项安全功能，旨在保护系统免受潜在有害软件的侵害。新功能简化了SIP的禁用和启用过程，开发者无需物理访问机器，只需通过EC2 API即可操作，这对于开发和测试驱动程序或系统扩展非常有用。该功能在M2芯片的EC2 Mac实例上可用，用户需要设置ec2-user密码并启用安全令牌。

🛡️ **什么是系统完整性保护（SIP）？** SIP是Apple在macOS中引入的一项安全功能，旨在通过限制root用户的权限来保护系统，防止恶意软件控制设备。SIP默认启用，可以阻止修改受保护的文件和文件夹，限制对系统文件的访问，并阻止未经授权的软件选择启动磁盘。

🛠️ **为什么需要禁用SIP？** 开发者可能需要在开发和测试过程中暂时禁用SIP，例如创建新的设备驱动程序或系统扩展时，因为SIP可能会阻止安装和测试代码，或者阻止访问某些软件正常运行所需的系统设置。

💻 **如何禁用和启用SIP？** 现在，通过Amazon EC2 API，开发者可以方便地禁用和重新启用SIP，而无需物理访问机器。这包括使用`CreateMacSystemIntegrityProtectionModificationTask` API来更改SIP状态，以及使用`DescribeMacModificationTasks` API来监控进度。在基于Apple silicon的EC2 Mac实例上，需要设置`ec2-user`密码并启用安全令牌。

⏱️ **操作时间与注意事项:** 禁用SIP的过程涉及一系列重启，可能需要60-90分钟才能完成。禁用SIP会带来潜在的安全风险，因此应谨慎使用。通常用于开发驱动程序或内核扩展，或者某些旧应用程序可能无法在SIP启用时正常工作。

<section class="blog-post-content lb-rtxt"><table id="amazon-polly-audio-table"><tbody><tr><td id="amazon-polly-audio-tab"><p></p></td></tr></tbody></table><p>I’m pleased to announce developers can now programmatically disable Apple <a href="https://support.apple.com/en-us/102149&quot;&gt;System Integrity Protection (SIP)</a> on their <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-mac-instances.html?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=blog&quot;&gt;Amazon EC2 Mac</a> instances. System Integrity Protection (SIP), also known as rootless, is a security feature introduced by Apple in <a href="https://wikipedia.org/wiki/OS_X_El_Capitan&quot;&gt;OS X El Capitan</a> (2015, version 10.11). It’s designed to protect the system from potentially harmful software by restricting the power of the root user account. SIP is enabled by default on macOS.</p><p>SIP safeguards the system by preventing modification of protected files and folders, restricting access to system-owned files and directories, and blocking unauthorized software from selecting a startup disk. The primary goal of SIP is to address the security risk linked to unrestricted root access, which could potentially allow malware to gain full control of a device with just one password or vulnerability. By implementing this protection, Apple aims to ensure a higher level of security for macOS users, especially considering that many users operate on administrative accounts with weak or no passwords.</p><p>While SIP provides excellent protection against malware for everyday use, developers might occasionally need to temporarily disable it for development and testing purposes. For instance, when creating a new device driver or system extension, disabling SIP is necessary to install and test the code. Additionally, SIP might block access to certain system settings required for your software to function properly. Temporarily disabling SIP grants you the necessary permissions to fine-tune programs for macOS. However, it’s crucial to remember that this is akin to briefly disabling the vault door for authorized maintenance, not leaving it permanently open.</p><p><a href="https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection&quot;&gt;Disabling SIP</a> on a Mac requires physical access to the machine. You have to <a href="https://support.apple.com/en-gb/guide/mac-help/mchl82829c17/mac&quot;&gt;restart the machine in recovery mode</a>, then disable SIP with the <code>csrtutil</code> command line tool, then restart the machine again.</p><p>Until today, you had to operate with the standard SIP settings on EC2 Mac instances. The physical access requirement and the need to boot in recovery mode made integrating SIP with the Amazon EC2 control plane and EC2 API challenging. But that’s no longer the case! You can now disable and re-enable SIP at will on your Amazon EC2 Mac instances. Let me show you how.</p><p><strong>Let’s see how it works<br /></strong> Imagine I have an Amazon EC2 Mac instance started. It’s a <code>mac2-m2.metal</code> instance, running on an Apple silicon M2 processor. Disabling or enabling SIP is as straightforward as calling a new EC2 API: <code>CreateMacSystemIntegrityProtectionModificationTask</code>. This API is asynchronous; it starts the process of changing the SIP status on your instance. You can monitor progress using another new EC2 API: <code>DescribeMacModificationTasks</code>. All I need to know is the instance ID of the machine I want to work with.</p><p><strong>Prerequisites<br /></strong> On Apple silicon based EC2 Mac instances and more recent type of machines, before calling the new EC2 API, I must set the <code>ec2-user</code> user password and enable <a href="https://support.apple.com/en-gb/guide/deployment/dep24dbdcf9e/web&quot;&gt;secure token</a> for that user on macOS. This requires connecting to the machine and typing two commands in the terminal.</p><pre class="lang-bash"># on the target EC2 Mac instance# Set a password for the ec2-user user~ % sudo /usr/bin/dscl . -passwd /Users/ec2-userNew Password: (MyNewPassw0rd)# Enable secure token, with the same password, for the ec2-user# old password is the one you just set with dscl~ % sysadminctl -newPassword MyNewPassw0rd -oldPassword MyNewPassw0rd2025-03-05 13:16:57.261 sysadminctl[3993:3033024] Attempting to change password for ec2-user…2025-03-05 13:16:58.690 sysadminctl[3993:3033024] SecKeychainCopyLogin returned -252942025-03-05 13:16:58.690 sysadminctl[3993:3033024] Failed to update keychain password (-25294)2025-03-05 13:16:58.690 sysadminctl[3993:3033024] - Done# The error about the KeyChain is expected. I never connected with the GUI on this machine, so the Login keychain does not exist# you can ignore this error. The command below shows the list of keychains active in this session~ % security list "/Library/Keychains/System.keychain"# Verify that the secure token is ENABLED~ % sysadminctl -secureTokenStatus ec2-user2025-03-05 13:18:12.456 sysadminctl[4017:3033614] Secure token is ENABLED for user ec2-user</pre><p><strong>Change the SIP status<br /></strong> I don’t need to connect to the machine to toggle the SIP status. I only need to know its instance ID. I open a terminal on my laptop and use the <a href="https://aws.amazon.com/cli/&quot;&gt;AWS Command Line Interface (AWS CLI)</a> to retrieve the Amazon EC2 Mac instance ID.</p><pre class="lang-bash"> aws ec2 describe-instances \ --query "Reservations[].Instances[?InstanceType == 'mac2-m2.metal' ].InstanceId" \ --output texti-012a5de8da47bdff7</pre><p>Now, still from the terminal on my laptop, I disable SIP with the <code>create-mac-system-integrity-protection-modification-task</code> command:</p><pre class="lang-bash">echo '{"rootVolumeUsername":"ec2-user","rootVolumePassword":"MyNewPassw0rd"}' &gt; tmpCredentialsaws ec2 create-mac-system-integrity-protection-modification-task --instance-id "i-012a5de8da47bdff7" --mac-credentials fileb://./tmpCredentials --mac-system-integrity-protection-status "disabled" &amp;&amp; rm tmpCredentials{ "macModificationTask": { "instanceId": "i-012a5de8da47bdff7", "macModificationTaskId": "macmodification-06a4bb89b394ac6d6", "macSystemIntegrityProtectionConfig": {}, "startTime": "2025-03-14T14:15:06Z", "taskState": "pending", "taskType": "sip-modification" }}</pre><p>After the task is started, I can check its status with the <code>aws ec2 describe-mac-modification-tasks</code> command.</p><pre class="lang-json">{ "macModificationTasks": [ { "instanceId": "i-012a5de8da47bdff7", "macModificationTaskId": "macmodification-06a4bb89b394ac6d6", "macSystemIntegrityProtectionConfig": { "debuggingRestrictions": "", "dTraceRestrictions": "", "filesystemProtections": "", "kextSigning": "", "nvramProtections": "", "status": "disabled" }, "startTime": "2025-03-14T14:15:06Z", "tags": [], "taskState": "in-progress", "taskType": "sip-modification" },...</pre><p>The instance initiates the process and a series of reboots, during which it becomes unreachable. This process can take 60–90 minutes to complete. After that, when I see the status in the console becoming available again, I <a href="https://community.aws/content/2duUtYq4ENzOLGLdEg0A3aeyCuj/ec2-mac-02-connect-to-an-ec2-mac-instance?lang=en?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=el&quot;&gt;connect to the machine through SSH or EC2 Instance Connect</a>, as usual.</p><pre class="lang-bash">➜ ~ ssh ec2-user@54.99.9.99Warning: Permanently added '54.99.9.99' (ED25519) to the list of known hosts.Last login: Mon Feb 26 08:52:42 2024 from 1.1.1.1 ┌───┬──┐ | | ) │ ╷╭╯╷ │ | ( / │ └╮ │ |\|___| │ ╰─┼╯ │ Amazon EC2 └───┴──┘ macOS Sonoma 14.3.1➜ ~ uname -aDarwin Mac-mini.local 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:30:27 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T8103 arm64➜ ~ csrutil --status System Integrity Protection status: disabled.</pre><p><strong>When to disable SIP<br /></strong> Disabling SIP should be approached with caution because it opens up the system to potential security risks. However, as I mentioned in the introduction of this post, you might need to disable SIP when developing device drivers or kernel extensions for macOS. Some older applications might also not function correctly when SIP is enabled.</p><p>Disabling SIP is also required to turn off Spotlight indexing. Spotlight can help you quickly find apps, documents, emails and other items on your Mac. It’s very convenient on desktop machines, but not so much on a server. When there is no need to index your documents as they change, turning off Spotlight <a href="https://eclecticlight.co/2022/12/08/spotlight-problems-mds_stores-and-mdworker-in-trouble/&quot;&gt;will release some CPU cycles and disk I/O</a>.</p><p><strong>Things to know<br /></strong> There are a couple of additional things to know about disabling SIP on Amazon EC2 Mac:</p><ul><li>Disabling SIP is available through the API and <a href="https://aws.amazon.com/tools/&quot;&gt;AWS SDKs</a>, the <a href="https://aws.amazon.com/cli/?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=blog&quot;&gt;AWS CLI</a>, and the <a href="https://console.aws.amazon.com&quot;&gt;AWS Management Console</a>.</li><li>On Apple silicon, the setting is volume based. So if you <a href="https://aws.amazon.com/blogs/compute/new-reset-amazon-ec2-mac-instances-to-a-known-state-using-replace-root-volume-capability/?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=blog&quot;&gt;replace the root volume</a>, you need to disable SIP again. On Intel, the setting is Mac host based, so if you replace the root volume, SIP will still be disabled.</li><li>After disabling SIP, it will be enabled again if you stop and start the instance. Rebooting an instance doesn’t change its SIP status.</li><li>SIP status isn’t transferable between EBS volumes. This means SIP will be disabled again after you restore an instance from an EBS snapshot or if you create an AMI from an instance where SIP is enabled.</li></ul><p>These new APIs are available in <a href="https://github.com/aws-samples/amazon-ec2-mac-getting-started/blob/main/ec2-macos.md&quot;&gt;all Regions where Amazon EC2 Mac is available</a>, at no additional cost. Try them today.</p><a href="https://linktr.ee/sebsto&quot;&gt;— seb</a><hr /><p>How is the News Blog doing? Take this <a href="https://amazonmr.au1.qualtrics.com/jfe/form/SV_eyD5tC5xNGCdCmi&quot;&gt;1 minute survey</a>!</p><p><em>(This <a href="https://amazonmr.au1.qualtrics.com/jfe/form/SV_eyD5tC5xNGCdCmi&quot;&gt;survey&lt;/a&gt; is hosted by an external company. AWS handles your information as described in the <a href="https://aws.amazon.com/privacy/?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=blog&quot;&gt;AWS Privacy Notice</a>. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)</em></p></section><aside id="Comments" class="blog-comments"><div data-lb-comp="aws-blog:cosmic-comments" data-env="prod" data-content-id="4c7cf0d3-0743-464c-9795-9334cccee02c" data-title="Configure System Integrity Protection (SIP) on Amazon EC2 Mac instances" data-url="https://aws.amazon.com/blogs/aws/configure-system-integrity-protection-sip-on-amazon-ec2-mac-instances/&quot;&gt;&lt;p data-failed-message="Comments cannot be loaded… Please refresh and try again.">Loading comments…</p></div></aside>