Unpaired macOS Recovery System: Can't Disable SIP
I recently needed to temporarily disable System Integrity Protection (SIP) to remove some System Extensions (the newer version of what used to be called Kernel Extensions). The types and purposes of these extensions is not important but while you can install System Extensions without disabling SIP, currently removing them does. It is called out in the systemextensionsctl uninstall
command that this should be able to be done without disabling SIP in the future.
I won’t go into full detail on how to remove System Extensions or disable SIP in this guide as there are plenty of them already out there. However when I went to perform the necessary csrutil disable
command in the Recovery OS terminal so that I could perform the systemextensionsctl uninstall
command in the booted OS, I was met with the error:
The current recovery system is not paired with the requested volume. Ensure that the booted recovery system matches the main system that is being modified.
I haven’t been able to reproduce this issue to figure out how these systems became “unpaired”. I don’t know if it was a series of updates, an oddly applied firmware upgrade, or what.
On a hunch that recent macOS versions are effectively sealed, where the OS is on a signed and read-only volume and your files and applications are carefully mounted into the right positions (more on that fascinating architecture over at Eclectic Light Company, here and here), I wondered if just reinstalling the OS would resolve my issue.
It worked!
Performing the reinstall allowed me to reboot into recovery again and perform csrutil disable
without error and then remove the system extensions. (And then re-enabled SIP!)
1. Backup!
On the off chance this reinstall breaks things even worse, you should always have a backup. Use your backup tool of choice, say Time Machine or even Carbon Copy Cloner, and have a trusty fallback.
2. Disable FileVault
I performed this step as a precaution, not as a necessary action. The reasoning behind it was that with this disabled, it was more likely that the reinstall would not blow away the data partition if it couldn’t access it. Past experience has shown that this isn’t always required.
3. Perform Recovery
I followed the steps in Apple’s knowledge base article, being careful to make sure I was logging in when prompted for an admin user to unlock the disk.
This step will take some time, for me about two hours, including the downloading of a fresh copy of Monterey. Even if it appears there is nothing happening, magic is happening under the hood. After the reinstall has completed, your Mac should reboot and present you with the same login screen you were familiar with before, as though nothing happened. Logging into your profile the first time after the reinstall will be temporarily slow but all subsequent logins will be as fast as expected.
4. Retry Disabling SIP
For my case, the reinstall didn’t remove the System Extensions so I still needed to go back in and disable SIP. Reboot into recovery once more and perform csrutil disable
. You should see the typical prompts for confirmation and elevated user credentials to perform the operation, after which SIP will be disabled.