I blogged about System Integrity Protection here; Apple’s kext signing bypassed… and here; csrutil updated in DP7 and when I released csrstat.c to show CSR/SIP status and I have found a new C string literal in the sandbox daemon – sandboxd – that may be an indication that Apple will extend the SIP configuration with the following setting:
#define CSR_ALLOW_DEVICE_CONFIGURATION (1 << 7) // 128
Update: It is already used/checked in function csr_check() in bsd/kern/kern_csr.c (XNU kernel source code) to set csr_allow_all to 1 if it is set.
More importantly. AppleEFINVRAM has two calls to csr_check() with this value. One in AppleEFINVRAM::setProperty(OSSymbol const*, OSObject*) and one in AppleEFINVRAM::removeProperty(OSSymbol const*, bool). There might be more executables that use this value, but at least now we know what it is that blocks nvram settings from being stored. I mean entitlements alone are not enough. We know this because csrutil is in fact entitled to set csr-* properties, but not from all partitions.
I also asked folks in the Clover general and Chameleon threads over at insanelymac.com if they used this value, but nobody replied yet. I presume that they don’t know what this value is used for, and why they should test it. Well. Never mind then.