M1 Secure Boot, morphine and self-destruction
If you enter RecoveryOS and open Startup Security Utility, though, you’re only offered the first two in its window. This article goes in quest of Permissive Security and why you don’t want to use it. Ever.
Apple drops us a clue or two in the latest, revised edition of its invaluable Platform Security Guide (which now also works in non-US English: hurrah!). There it states: “It isn’t possible to downgrade to Permissive Security from the Startup Security Utility app. Users can downgrade only by running command-line tools from Terminal in recoveryOS, such as csrutil (to disable SIP). After the user has downgraded, the fact that it’s occurred is reflected in Startup Security Utility, and so a user can easily set the security to a more secure mode.”
So if you want to disable SIP on an M1 Mac, you have to downgrade that bootable disk to Permissive Security, and disabling SIP appears to be one way of doing that. Presumably other ways, such as unsealing macOS, are similar.
