OS X El Capitan System Integrity Protection - Ability to bless netboot
| Originator: | michael.harris | ||
| Number: | rdar://22397509 | Date Originated: | 24-08-2015 |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.11 (15A263e) |
| Classification: | Reproducible: | Yes |
Summary: With OS X El Capitan, you can no longer bless boot to a netboot server, without first adding the netboot servers ip address at an allowed list via recovery mode. Currently we use the Casper suite to manage our lab fleet of ~1500 iMacs and Mac Pros and staff fleet of ~2000 machines. The lab fleet is reimaged every year and is spread across many network subnets and campuses. We remotely send the bless boot command to netboot the machines across subnets to different ip’s depending on the building and/or campus they are located. Steps to Reproduce: 1. sudo bless --netboot --booter "tftp://$IP_ADDRESS/$NBI/i386/booter" --kernelcache "tftp://$IP_ADDRESS/$NBI/i386/x86_64/kernelcache" --options "rp=http://$IP_ADDRESS//$NBI/NetBoot.dmg" Expected Results: EFI set successfully, followed by successfully netbooting. Actual Results: Could not set boot device property: 0xe00002bc Can't set EFI Which now happens unless the Netboot server ip is set using csrutil via recovery mode. Notes: This is huge problem because it impacts our ability to automate imaging of our lab fleet, as we do that while they are booted into OS X, and have no way of automating the process of adding the allowed netboot ip addresses when booted into recovery mode. Please consider either removing the requirement of white listing ip’s or allow ip’s to be added via csrutil while booted into OS X.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!