Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

{WARNING} 10.13.3 update may REQUIRE SIP enabled with Nvidia web driver

h9826790

macrumors G5
Original poster
Apr 3, 2014
14,717
7,166
Hong Kong
Both bsbeamer and me was stuck during 10.13.3 upgrade with unflashed Nvidia Pascal GPU. And both of us can fix the issue by re-enabling SIP.

This seems nothing to do with EFI, bebeamer cannot fix the issue by swapping his GTX680 Mac Edition card back in.

So, if any of you want to perform this OS upgrade with Nvidia web driver installed. I highly suggest you re-enable SIP BEFORE you install 10.13.3. If you already stuck. You can still re-enable SIP to see if the installation can continue.

For those who are using unflashed Maxwell / Pascal card. You cannot access the normal recovery partition. So, to re-enable SIP.

1) Hold Command + R + S during boot (usually hold 20-30s is good enough)
2) wait 3 min (from you press the power button)
3) press ENTER 10 times
4) enter
Code:
csrutil enable
5) wait 10s
6) enter
Code:
reboot

This whole procedure will be completed with black screen only. I connect an iPhone to the USB port to help me to identify the computer status. Once the recovery partition is loaded, the iPhone will shows charging (screen wake for few seconds and vibrate), that's the time I release the Command + R + S. And once the reboot command is working, I can see the iPhone charging status changed as well. A USB card reader with light indication can do the same thing. But in general, wait for 30s is good enough during boot (assuming using SSD).

After SIP re-enabled, my Mac continue the OS installation. And I can actually see the progress bar with the Apple logo like a normal Mac with the EFI graphic card.
 
Last edited:

bsbeamer

macrumors 68040
Sep 19, 2012
3,875
2,039
SIP was disabled a few days ago.

I updated MacPro 5,1 to 10.13.3 (17D47) with non-EFI (not flashed) GTX 1080 (Founders Edition) this morning after CUDA driver update release (387.128). Remoted into 5,1 via screen sharing from MBP to monitor the install progress (usual process once it shows up).

Once install was complete, saw desktop and got the "no GPU" warning. Installed the graphics driver update 387.10.10.10.25.156 (as usual after OS update).

Ran into the issue with white block in the upper left (very 1990's DOS-style but not blinking). Rebooted several times with same issue. No progress.

Decided to swap in my GTX 680 (official Mac edition card with factory EFI, not flashed by anyone). Still ran into an issue, but this time saw the Apple boot screen and was a starburt progress icon that just wouldn't move (stuck) on top of a progress bar that locked at around 50%.

Booted into recovery mode, re-enabled SIP. Rebooted. Everything was fine.

Swapped the GTX 1080 back in and everything is still fine.

**** ENABLE SIP BEFORE UPDATING 10.13.3 AND NVIDIA DRIVER 387.10.10.10.25.156 ****
 
  • Like
Reactions: Synchro3

krakman

macrumors regular
Dec 3, 2009
248
239
my cMP with RX480 installed 10.13.3 with sip disabled without a problem although the "cannot wake from sleep" problem has returned.

(from what i read there is better GPU support in the 10.13.4 beta so i intend to update to it as soon as it is made public)

I wonder why you needed to reenable SIP?

EDit: Fixed sleep issue buy editing the Info.plist file again and changing the number to 4 from 0 :

<key>CFG_FB_LIMIT</key>
<integer>4</integer>

(as per instructions in the 10.13.2 thread)
 
Last edited:

bsbeamer

macrumors 68040
Sep 19, 2012
3,875
2,039
my cMP with RX480 installed 10.13.3 with sip disabled without a problem although the "cannot wake from sleep" problem has returned.

(from what i read there is better GPU support in the 10.13.4 beta so i intend to update to it as soon as it is made public)

I wonder why you needed to reenable SIP?

RX480 does not require NVIDIA drivers (AMD GPU). The issue likely lies in the NVIDIA driver update. Probably tied to the Meltdown and Spectre fixes that NVIDIA is providing through their GPU driver updates.

Also reading 10.13.4 beta is great with GPU support for AMD. Official eGPU support might be getting close to exiting beta.
 

h9826790

macrumors G5
Original poster
Apr 3, 2014
14,717
7,166
Hong Kong
my cMP with RX480 installed 10.13.3 with sip disabled without a problem although the "cannot wake from sleep" problem has returned.

(from what i read there is better GPU support in the 10.13.4 beta so i intend to update to it as soon as it is made public)

I wonder why you needed to reenable SIP?

Thanks for the report. Will update the title and original post accordingly to reflect this may only affect Nvidia web driver users.
 

flehman

macrumors 6502
Feb 21, 2015
352
193
Thanks for the report. Will update the title and original post accordingly to reflect this may only affect Nvidia web driver users.

I recall this coming up in some other threads when HS was released. Multiple users were reporting that the web driver installer threw out error dialogues during installation if SIP was disabled, and so it was recommended that SIP be enabled when installing web drivers in HS. Might have been over on Netkas or TonyMac forum if it wasn’t here.
 

h9826790

macrumors G5
Original poster
Apr 3, 2014
14,717
7,166
Hong Kong
I recall this coming up in some other threads when HS was released. Multiple users were reporting that the web driver installer threw out error dialogues during installation if SIP was disabled, and so it was recommended that SIP be enabled when installing web drivers in HS. Might have been over on Netkas or TonyMac forum if it wasn’t here.

Yes, but this is another issue. That one was due to Gatekeeper.

Keep BOTH SIP and Gatekeeper OFF can avoid the issue. Or keep BOTH SIP and Gatekeeper ON also work (require manually approve Nvidia web driver in system preference pane).

The problematic combination was SIP OFF but Gatekeeper ON.

However, this time is difference. BOTH SIP and Gatekeeper OFF won't work. And nothing in the system preferences pane waiting for approval. It just hang during the update.

But luckily, even with an unflashed card, the screen still displaying the DOS cursor, or full white screen. So, the user can see the screen, and know that the computer is stuck, and then react to it accordingly.
 

bsbeamer

macrumors 68040
Sep 19, 2012
3,875
2,039
The initial 10.12>10.13 update may have required SIP to be enabled, but it was not required from 10.13>10.13.1, 10.13.1>10.13.2, or with the numerous security patches under 10.13.2 (or with the corresponding NVIDIA drivers). This is a new requirement in 10.13.3. And as stated above, nothing to do with Gatekeeper.

Looks like NVIDIA has changed their system requirements with the driver. At the end of the day, it's probably not a huge issue for me. Only disabled it to change some settings in SwitchResX for which profiles were shown and not shown. Probably didn't even need to disable it to change them - pretty standard 3840x2160 to 1920x1080 kinda stuff on a 2nd monitor/TV for video outputs.

Will see if I can open a support ticket using the GTX 680 at some point to get additional information and report as a bug. If it is tied to anything Meltdown and Spectre they will be unable to comment and will just say to enable SIP if that works.
 
  • Like
Reactions: Synchro3

h9826790

macrumors G5
Original poster
Apr 3, 2014
14,717
7,166
Hong Kong
The initial 10.12>10.13 update may have required SIP to be enabled, but it was not required from 10.13>10.13.1, 10.13.1>10.13.2, or with the numerous security patches under 10.13.2 (or with the corresponding NVIDIA drivers). This is a new requirement in 10.13.3. And as stated above, nothing to do with Gatekeeper.

Looks like NVIDIA has changed their system requirements with the driver. At the end of the day, it's probably not a huge issue for me. Only disabled it to change some settings in SwitchResX for which profiles were shown and not shown. Probably didn't even need to disable it to change them - pretty standard 3840x2160 to 1920x1080 kinda stuff on a 2nd monitor/TV for video outputs.

Will see if I can open a support ticket using the GTX 680 at some point to get additional information and report as a bug. If it is tied to anything Meltdown and Spectre they will be unable to comment and will just say to enable SIP if that works.

Did you check if SIP can be disable again after OS upgrade (and web driver installation) is done?

Anyway, if you contact Nvidia, can you request them to release the audio driver for your GPU as well? I did this request 2 weeks ago (I also requested hardware video decode / encode support). So far, their reply is very "standard", didn't promise anything, but my requests already go though the Level 2 tech support guys, and forwarded to the development team for review.

If more macOS Nvidia user submit this kind of request, may be we will have higher chance to see it come in the future.
 
Last edited:

bsbeamer

macrumors 68040
Sep 19, 2012
3,875
2,039
I have not tried to re-disable SIP yet. Opening a ticket with NVIDIA at the moment to try and get an answer/clarity about the issue. Have a feeling it needs to stay enabled (or be re-enabled) for updates moving forward. According to this installation note, it looks like there's a security issue they're trying to workaround...

From the driver release notes:
Quadro & GeForce macOS Driver Release 387.10.10.10.25.156
https://www.nvidia.com/download/driverResults.aspx/130460/en-us

Installation Note: Because of improvements in macOS security, the Security & Privacy Preferences may open during the installation process. If it does, click “Allow” in order for the NVIDIA Graphics Driver to load, then return to the Installer and click “Restart”.
 
Last edited:

jhero

macrumors 6502
Jan 10, 2005
353
8
Not near an Apple Store
Thought I'd document my experience as well installing 10.3.3. My MP5,1 (RX580) had SIP disabled as well and upon reboot of the computer the screen stayed black. I waited for about a minute and still the login window never came up. I pressed escape first, typed in my login pw and pressed return and the computer proceeded to take me to the login window. I am not sure exactly what was present due to the black screen but was relieved it booted up OK.

I then after re-enabled SIP with h9826790's method of CMD+R+S and rebooted -- so far so good.
 
  • Like
Reactions: h9826790

bsbeamer

macrumors 68040
Sep 19, 2012
3,875
2,039
Confirmed with NVIDIA support: SIP is REQUIRED to be enabled for NVIDIA Web Driver install in 10.13.3.

Support ticket being escalated. Hope to find out if this is a new requirement/policy moving forward for all driver installs, or if it was specific to 10.13.3. Everything is due to the security updates introduced for Meltdown/Spectre in 10.13.2 (several of them). Likely will be required for many (if not all) driver updates moving forward.
 

flowrider

macrumors 603
Nov 23, 2012
6,322
2,404
Keep BOTH SIP and Gatekeeper OFF can avoid the issue. Or keep BOTH SIP and Gatekeeper ON also work (require manually approve Nvidia web driver in system preference pane).

Others have reported this. I have SIP and Gatekeeper enabled and received no message with the installation of the Web Driver. BTW, I have a MVC flashed Gigabyte GTX 1080.

Lou
 

Dr. Stealth

macrumors 6502a
Sep 14, 2004
812
722
SoCal-Surf City USA
I believe you only get the pop-ups (there are actually two) on the first install of the Nvidia web drivers. Once you Allow the gatekeeper exception you won't get the pop ups on subsequent Nvidia web driver installs. Just like when you install a new App and start it. It asks if you want to allow the app to continue. But on subsequent starts it doesn't ask, only the first time. That's Gatekeeper.

What I really find kind of humorous is that Apple hasn't identified NVIDIA CORPORATION as an "Identified Developer" in macOS 10.13.3. It's not like NVIDIA is some puny off-the-wall company.....

Screen Shot 2018-01-28 at 4.57.48 PM.png


This is exactly what happens on a fresh clean install of HS 10.13.3 when installing the Nvidia web driver if Gatekeeper and SIP are enabled as they are by default.


Screen Shot 2018-01-28 at 9.42.16 AM.png
 

Attachments

  • Screen Shot 2018-01-28 at 4.57.48 PM.png
    Screen Shot 2018-01-28 at 4.57.48 PM.png
    9.3 KB · Views: 162
Last edited:

owbp

macrumors 6502a
Jan 28, 2016
717
241
Belgrade, Serbia
Just want to add, not that it is extremely relevant, that i've upgraded from 10.12.6 to 10.13.3 yesterday (stayed on HFS+ with my system SSD) with Nvidia GTX 970 and GT 120 installed, both SIP and Gatekeeper disabled, without any trouble or restrictions from OS. It was like installing WebDriver on Mavericks.
 
  • Like
Reactions: h9826790

h9826790

macrumors G5
Original poster
Apr 3, 2014
14,717
7,166
Hong Kong
Others have reported this. I have SIP and Gatekeeper enabled and received no message with the installation of the Web Driver. BTW, I have a MVC flashed Gigabyte GTX 1080.

Lou

Same here (on the 13.3.3 web driver UPDATE), but I think post #14 explain everything. We did allow the older web driver in Gatekeeper in the past. Therefore, no more confirmation required now.

I believe you only get the pop-ups (there are actually two) on the first install of the Nvidia web drivers. Once you Allow the gatekeeper exception you won't get the pop ups on subsequent Nvidia web driver installs. Just like when you install a new App and start it. It asks if you want to allow the app to continue. But on subsequent starts it doesn't ask, only the first time. That's Gatekeeper.

What I really find kind of humorous is that Apple hasn't identified NVIDIA CORPORATION as an "Identified Developer" in macOS 10.13.3. It's not like NVIDIA is some puny off-the-wall company.....

View attachment 748973

This is exactly what happens on a fresh clean install of HS 10.13.3 when installing the Nvidia web driver if Gatekeeper and SIP are enabled as they are by default.


View attachment 748970

Thanks for the detailed report. However, on my Mac, Nvidia is still an identified developer in 10.13.3
Screen Shot 2018-01-29 at 10.50.30.jpg
 
Last edited:

Troy2000

macrumors regular
Oct 21, 2009
200
74
This has been quite a problem for me with my Mac Pro 3,1. High Sierra was installed using Dosdude1's utility, however I am now unable to enable SIP due to his SIP Disabler script.

If I can not locate and disable the script, I may need to perform a manual installation of High Sierra.
 

bsbeamer

macrumors 68040
Sep 19, 2012
3,875
2,039
This has been quite a problem for me with my Mac Pro 3,1. High Sierra was installed using Dosdude1's utility, however I am now unable to enable SIP due to his SIP Disabler script.

If I can not locate and disable the script, I may need to perform a manual installation of High Sierra.

You are able to update High Sierra to 10.13.3 without SIP enabled, however you (likely) cannot install the NVIDIA Web Driver without it being enabled.

It may be different if your machine ID's as an iMac (different build number) - that uses the .157 driver rather than the .156 driver. There are no specific reports.

NVIDIA ticket about this has been escalated again. Will post an update when I have one.
 

Troy2000

macrumors regular
Oct 21, 2009
200
74
You are able to update High Sierra to 10.13.3 without SIP enabled, however you (likely) cannot install the NVIDIA Web Driver without it being enabled.

It may be different if your machine ID's as an iMac (different build number) - that uses the .157 driver rather than the .156 driver. There are no specific reports.

NVIDIA ticket about this has been escalated again. Will post an update when I have one.
Yes, I am currently running 10.13.3.

I have attempted to force completion of the Web Driver installation by rebuilding the kext cache but have had no success as of yet.

Incidentally, clearing the boot flags (CMD+ALT+P+R) will re-select the default OS X driver. This may be of help to people who find themselves stuck at the "white block" screen with a flashed GPU.
 
Last edited:

h9826790

macrumors G5
Original poster
Apr 3, 2014
14,717
7,166
Hong Kong
LATEST FROM NVIDIA SUPPORT:

Driver team confirmed SIP needs to be enabled starting with 10.13.3 and will be required going forward.

Thanks for the confirmation. It's luckily that I just went back to HFS+ coincidentally. Otherwise, there will be no simple way for me to switch between Windows and macOS.
 
  • Like
Reactions: Synchro3

bsbeamer

macrumors 68040
Sep 19, 2012
3,875
2,039
At the moment, I'd recommend sticking with HFS+ for all MacPro5,1 and older.

"There is no way around this for macOS 10.13" leads me to believe it's implemented this way to address security issues rather than anything else.
 

Troy2000

macrumors regular
Oct 21, 2009
200
74
Well, that is rather unfortunate. It would appear that I will have to perform a manual reinstallation of High Sierra.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.