{WARNING} 10.13.3 update may REQUIRE SIP enabled with Nvidia web driver

Discussion in 'Mac Pro' started by h9826790, Jan 25, 2018.

  1. h9826790, Jan 25, 2018
    Last edited: Jan 25, 2018

    h9826790 macrumors G5

    h9826790

    Joined:
    Apr 3, 2014
    Location:
    Hong Kong
    #1
    Both bsbeamer and me was stuck during 10.13.3 upgrade with unflashed Nvidia Pascal GPU. And both of us can fix the issue by re-enabling SIP.

    This seems nothing to do with EFI, bebeamer cannot fix the issue by swapping his GTX680 Mac Edition card back in.

    So, if any of you want to perform this OS upgrade with Nvidia web driver installed. I highly suggest you re-enable SIP BEFORE you install 10.13.3. If you already stuck. You can still re-enable SIP to see if the installation can continue.

    For those who are using unflashed Maxwell / Pascal card. You cannot access the normal recovery partition. So, to re-enable SIP.

    1) Hold Command + R + S during boot (usually hold 20-30s is good enough)
    2) wait 3 min (from you press the power button)
    3) press ENTER 10 times
    4) enter
    Code:
    csrutil enable
    5) wait 10s
    6) enter
    Code:
    reboot
    This whole procedure will be completed with black screen only. I connect an iPhone to the USB port to help me to identify the computer status. Once the recovery partition is loaded, the iPhone will shows charging (screen wake for few seconds and vibrate), that's the time I release the Command + R + S. And once the reboot command is working, I can see the iPhone charging status changed as well. A USB card reader with light indication can do the same thing. But in general, wait for 30s is good enough during boot (assuming using SSD).

    After SIP re-enabled, my Mac continue the OS installation. And I can actually see the progress bar with the Apple logo like a normal Mac with the EFI graphic card.
     
  2. bsbeamer macrumors 68020

    Joined:
    Sep 19, 2012
    #2
    SIP was disabled a few days ago.

    I updated MacPro 5,1 to 10.13.3 (17D47) with non-EFI (not flashed) GTX 1080 (Founders Edition) this morning after CUDA driver update release (387.128). Remoted into 5,1 via screen sharing from MBP to monitor the install progress (usual process once it shows up).

    Once install was complete, saw desktop and got the "no GPU" warning. Installed the graphics driver update 387.10.10.10.25.156 (as usual after OS update).

    Ran into the issue with white block in the upper left (very 1990's DOS-style but not blinking). Rebooted several times with same issue. No progress.

    Decided to swap in my GTX 680 (official Mac edition card with factory EFI, not flashed by anyone). Still ran into an issue, but this time saw the Apple boot screen and was a starburt progress icon that just wouldn't move (stuck) on top of a progress bar that locked at around 50%.

    Booted into recovery mode, re-enabled SIP. Rebooted. Everything was fine.

    Swapped the GTX 1080 back in and everything is still fine.

    **** ENABLE SIP BEFORE UPDATING 10.13.3 AND NVIDIA DRIVER 387.10.10.10.25.156 ****
     
  3. krakman, Jan 25, 2018
    Last edited: Jan 25, 2018

    krakman macrumors regular

    Joined:
    Dec 3, 2009
    #3
    my cMP with RX480 installed 10.13.3 with sip disabled without a problem although the "cannot wake from sleep" problem has returned.

    (from what i read there is better GPU support in the 10.13.4 beta so i intend to update to it as soon as it is made public)

    I wonder why you needed to reenable SIP?

    EDit: Fixed sleep issue buy editing the Info.plist file again and changing the number to 4 from 0 :

    <key>CFG_FB_LIMIT</key>
    <integer>4</integer>

    (as per instructions in the 10.13.2 thread)
     
  4. bsbeamer macrumors 68020

    Joined:
    Sep 19, 2012
    #4
    RX480 does not require NVIDIA drivers (AMD GPU). The issue likely lies in the NVIDIA driver update. Probably tied to the Meltdown and Spectre fixes that NVIDIA is providing through their GPU driver updates.

    Also reading 10.13.4 beta is great with GPU support for AMD. Official eGPU support might be getting close to exiting beta.
     
  5. h9826790 thread starter macrumors G5

    h9826790

    Joined:
    Apr 3, 2014
    Location:
    Hong Kong
    #5
    Thanks for the report. Will update the title and original post accordingly to reflect this may only affect Nvidia web driver users.
     
  6. flehman macrumors 6502

    flehman

    Joined:
    Feb 21, 2015
    #6
    I recall this coming up in some other threads when HS was released. Multiple users were reporting that the web driver installer threw out error dialogues during installation if SIP was disabled, and so it was recommended that SIP be enabled when installing web drivers in HS. Might have been over on Netkas or TonyMac forum if it wasn’t here.
     
  7. h9826790 thread starter macrumors G5

    h9826790

    Joined:
    Apr 3, 2014
    Location:
    Hong Kong
    #7
    Yes, but this is another issue. That one was due to Gatekeeper.

    Keep BOTH SIP and Gatekeeper OFF can avoid the issue. Or keep BOTH SIP and Gatekeeper ON also work (require manually approve Nvidia web driver in system preference pane).

    The problematic combination was SIP OFF but Gatekeeper ON.

    However, this time is difference. BOTH SIP and Gatekeeper OFF won't work. And nothing in the system preferences pane waiting for approval. It just hang during the update.

    But luckily, even with an unflashed card, the screen still displaying the DOS cursor, or full white screen. So, the user can see the screen, and know that the computer is stuck, and then react to it accordingly.
     
  8. bsbeamer macrumors 68020

    Joined:
    Sep 19, 2012
    #8
    The initial 10.12>10.13 update may have required SIP to be enabled, but it was not required from 10.13>10.13.1, 10.13.1>10.13.2, or with the numerous security patches under 10.13.2 (or with the corresponding NVIDIA drivers). This is a new requirement in 10.13.3. And as stated above, nothing to do with Gatekeeper.

    Looks like NVIDIA has changed their system requirements with the driver. At the end of the day, it's probably not a huge issue for me. Only disabled it to change some settings in SwitchResX for which profiles were shown and not shown. Probably didn't even need to disable it to change them - pretty standard 3840x2160 to 1920x1080 kinda stuff on a 2nd monitor/TV for video outputs.

    Will see if I can open a support ticket using the GTX 680 at some point to get additional information and report as a bug. If it is tied to anything Meltdown and Spectre they will be unable to comment and will just say to enable SIP if that works.
     
  9. h9826790, Jan 25, 2018
    Last edited: Jan 25, 2018

    h9826790 thread starter macrumors G5

    h9826790

    Joined:
    Apr 3, 2014
    Location:
    Hong Kong
    #9
    Did you check if SIP can be disable again after OS upgrade (and web driver installation) is done?

    Anyway, if you contact Nvidia, can you request them to release the audio driver for your GPU as well? I did this request 2 weeks ago (I also requested hardware video decode / encode support). So far, their reply is very "standard", didn't promise anything, but my requests already go though the Level 2 tech support guys, and forwarded to the development team for review.

    If more macOS Nvidia user submit this kind of request, may be we will have higher chance to see it come in the future.
     
  10. bsbeamer, Jan 25, 2018
    Last edited: Jan 25, 2018

    bsbeamer macrumors 68020

    Joined:
    Sep 19, 2012
    #10
    I have not tried to re-disable SIP yet. Opening a ticket with NVIDIA at the moment to try and get an answer/clarity about the issue. Have a feeling it needs to stay enabled (or be re-enabled) for updates moving forward. According to this installation note, it looks like there's a security issue they're trying to workaround...

    From the driver release notes:
    Quadro & GeForce macOS Driver Release 387.10.10.10.25.156
    https://www.nvidia.com/download/driverResults.aspx/130460/en-us

    Installation Note: Because of improvements in macOS security, the Security & Privacy Preferences may open during the installation process. If it does, click “Allow” in order for the NVIDIA Graphics Driver to load, then return to the Installer and click “Restart”.
     
  11. jhero macrumors 6502

    jhero

    Joined:
    Jan 10, 2005
    Location:
    Not near an Apple Store
    #11
    Thought I'd document my experience as well installing 10.3.3. My MP5,1 (RX580) had SIP disabled as well and upon reboot of the computer the screen stayed black. I waited for about a minute and still the login window never came up. I pressed escape first, typed in my login pw and pressed return and the computer proceeded to take me to the login window. I am not sure exactly what was present due to the black screen but was relieved it booted up OK.

    I then after re-enabled SIP with h9826790's method of CMD+R+S and rebooted -- so far so good.
     
  12. bsbeamer macrumors 68020

    Joined:
    Sep 19, 2012
    #12
    Confirmed with NVIDIA support: SIP is REQUIRED to be enabled for NVIDIA Web Driver install in 10.13.3.

    Support ticket being escalated. Hope to find out if this is a new requirement/policy moving forward for all driver installs, or if it was specific to 10.13.3. Everything is due to the security updates introduced for Meltdown/Spectre in 10.13.2 (several of them). Likely will be required for many (if not all) driver updates moving forward.
     
  13. flowrider macrumors 603

    flowrider

    Joined:
    Nov 23, 2012
    #13
    Others have reported this. I have SIP and Gatekeeper enabled and received no message with the installation of the Web Driver. BTW, I have a MVC flashed Gigabyte GTX 1080.

    Lou
     
  14. Dr. Stealth, Jan 28, 2018
    Last edited: Jan 28, 2018

    Dr. Stealth macrumors 6502a

    Dr. Stealth

    Joined:
    Sep 14, 2004
    Location:
    SoCal-Surf City USA
    #14
    I believe you only get the pop-ups (there are actually two) on the first install of the Nvidia web drivers. Once you Allow the gatekeeper exception you won't get the pop ups on subsequent Nvidia web driver installs. Just like when you install a new App and start it. It asks if you want to allow the app to continue. But on subsequent starts it doesn't ask, only the first time. That's Gatekeeper.

    What I really find kind of humorous is that Apple hasn't identified NVIDIA CORPORATION as an "Identified Developer" in macOS 10.13.3. It's not like NVIDIA is some puny off-the-wall company.....

    Screen Shot 2018-01-28 at 4.57.48 PM.png

    This is exactly what happens on a fresh clean install of HS 10.13.3 when installing the Nvidia web driver if Gatekeeper and SIP are enabled as they are by default.


    Screen Shot 2018-01-28 at 9.42.16 AM.png
     

    Attached Files:

  15. owbp macrumors 6502a

    owbp

    Joined:
    Jan 28, 2016
    Location:
    Belgrade, Serbia
    #15
    Just want to add, not that it is extremely relevant, that i've upgraded from 10.12.6 to 10.13.3 yesterday (stayed on HFS+ with my system SSD) with Nvidia GTX 970 and GT 120 installed, both SIP and Gatekeeper disabled, without any trouble or restrictions from OS. It was like installing WebDriver on Mavericks.
     
  16. h9826790, Jan 28, 2018
    Last edited: Jan 29, 2018

    h9826790 thread starter macrumors G5

    h9826790

    Joined:
    Apr 3, 2014
    Location:
    Hong Kong
    #16
    Same here (on the 13.3.3 web driver UPDATE), but I think post #14 explain everything. We did allow the older web driver in Gatekeeper in the past. Therefore, no more confirmation required now.

    Thanks for the detailed report. However, on my Mac, Nvidia is still an identified developer in 10.13.3
    Screen Shot 2018-01-29 at 10.50.30.jpg
     
  17. Dr. Stealth macrumors 6502a

    Dr. Stealth

    Joined:
    Sep 14, 2004
    Location:
    SoCal-Surf City USA
    #17

    Yes, mine shows the same. So it's interesting Gatekeeper stops the install when this box is checked to allow.

    Screen Shot 2018-01-28 at 4.57.48 PM-1.png
     
  18. h9826790 thread starter macrumors G5

    h9826790

    Joined:
    Apr 3, 2014
    Location:
    Hong Kong
    #18
    That's "allow downloaded from" or at most "open" the downloaded files, but not really automatically approve to "run" them.
     
  19. Troy2000 macrumors regular

    Troy2000

    Joined:
    Oct 21, 2009
    #19
    This has been quite a problem for me with my Mac Pro 3,1. High Sierra was installed using Dosdude1's utility, however I am now unable to enable SIP due to his SIP Disabler script.

    If I can not locate and disable the script, I may need to perform a manual installation of High Sierra.
     
  20. bsbeamer macrumors 68020

    Joined:
    Sep 19, 2012
    #20
    You are able to update High Sierra to 10.13.3 without SIP enabled, however you (likely) cannot install the NVIDIA Web Driver without it being enabled.

    It may be different if your machine ID's as an iMac (different build number) - that uses the .157 driver rather than the .156 driver. There are no specific reports.

    NVIDIA ticket about this has been escalated again. Will post an update when I have one.
     
  21. Troy2000, Jan 29, 2018
    Last edited: Jan 30, 2018

    Troy2000 macrumors regular

    Troy2000

    Joined:
    Oct 21, 2009
    #21
    Yes, I am currently running 10.13.3.

    I have attempted to force completion of the Web Driver installation by rebuilding the kext cache but have had no success as of yet.

    Incidentally, clearing the boot flags (CMD+ALT+P+R) will re-select the default OS X driver. This may be of help to people who find themselves stuck at the "white block" screen with a flashed GPU.
     
  22. bsbeamer macrumors 68020

    Joined:
    Sep 19, 2012
    #22
    LATEST FROM NVIDIA SUPPORT:

    Driver team confirmed SIP needs to be enabled starting with 10.13.3 and will be required going forward.
     
  23. h9826790 thread starter macrumors G5

    h9826790

    Joined:
    Apr 3, 2014
    Location:
    Hong Kong
    #23
    Thanks for the confirmation. It's luckily that I just went back to HFS+ coincidentally. Otherwise, there will be no simple way for me to switch between Windows and macOS.
     
  24. bsbeamer macrumors 68020

    Joined:
    Sep 19, 2012
    #24
    At the moment, I'd recommend sticking with HFS+ for all MacPro5,1 and older.

    "There is no way around this for macOS 10.13" leads me to believe it's implemented this way to address security issues rather than anything else.
     
  25. Troy2000 macrumors regular

    Troy2000

    Joined:
    Oct 21, 2009
    #25
    Well, that is rather unfortunate. It would appear that I will have to perform a manual reinstallation of High Sierra.
     

Share This Page

66 January 25, 2018