Rufus

x509 said:

So what is a good, reliable, bootable USB creator tool that can support multiple ISOs? Ideally as easy to use as Rufus? There are lots and lots of tools out there, but it's hard to believe the claims that are made for them. That's why I am seeking the wisdom of this group.

x509

I use Rufus for Linux, and Windows own "Media creator tool" for windows 10, other windows I have CDrom.

bro67 said:

The only problem is that he is griping over something that IBM implemented in 1976, not Microsoft. https://www.linuxjournal.com/content...fi-secure-boot

I understand that BIOS is from 1976, not UEFI.
From the OP I understand than ms wont allow "keys" for GPL3 software, this what rufus devs are stating, not that they dont want to pay, but maybe they are liars, as you imply, who knows.
What I understand is that ms owns the right to decide if a software can or can not run using "secure boot".
My experience is that secure boot is a PITA if you do not use Windows and the only way to use Linux (without named PITA) is to disable secure boot.

Rufus developer here.

First of all, it seems that, despite being pointed to read the complete, not-so-long, FAQ entry where I explain, clearly, that I would have no issue whatsoever paying to have UEFI:NTFS signed for Secure Boot, and that the only issue is that Microsoft will never sign it, because it is in their Secure Boot T&C's that they will never sign anything that is GPLv3, some people still feel entitled to spread falsehoods about the whole UEFI:NTFS + Secure Boot issue being a financial problem.

Also, this has nothing to do "reasoning by the author of Rufus is that if something happens and the machine is in Secure Boot mode, he believes that people would hold him liable for their mistake". I also have no idea where @bro67 got that from, but please try to base your opinion of what you believe the author of an application is trying to accomplish on verifiable facts (for which, in this case, you'll be hard pressed to find, since what you are stating is completely untrue).

Again, and I can't stress this enough, the ONLY reason UEFI:NTFS is not signed for Secure Boot, and therefore requires users to temporarily disable it in their firmware parameters, is because Microsoft have in their Terms & Conditions for Secure Boot signing that anything GPLv3 cannot be signed (see point 4. here). That's all there is to it, really.

Now, the reason why our UEFI:NTFS code is GPLv3, besides the fact that I, as a Free Software developer, have a strong preference for that license, is because there was no way I was going to write an UEFI NTFS driver from scratch, and the only people kind enough to have produced an Open Source version of such a driver, which could easily be converted for UEFI, were the GRUB developers... and of course these people use a GPLv3 license.

So, there's not trick here, no alternate reality or attempt to get people to fund me (especially as you may also want to read my stance on donations, which is clearly explained on the Rufus homepage). No matter how much spare cash I might have, or how fine I am with people's liability when using my software in a Secure Boot environment (considering that the software comes with a big license that says that the program comes with no warranty whatsoever) I simply cannot go to Microsoft with UEFI:NTFS to get it signed, because Microsoft will simply refuse to sign it.

I would therefore greatly appreciate if people who haven't done their research stopped trying to spread falsehoods. Thank you.

Akeo said:

Again, and I can't stress this enough, the ONLY reason UEFI:NTFS is not signed for Secure Boot, and therefore requires users to temporarily disable it in their firmware parameters, is because Microsoft have in their Terms & Conditions for Secure Boot signing that anything GPLv3 cannot be signed (see point 4. here). That's all there is to it, really.

Good to hear from the source & appreciate all your work...

I can't help but assume Microsoft's decision to disallow UEFI:NTFS compatibility with Secure Boot isn't in the best interest of consumers and more along the line of protection their bottom-line...

This goes way beyond Rufus's UEFI:NTFS driver. GPL compliance is a major legal concern for all proprietary software development shops. MS has a lot to lose if the courts interpret the GPL in a way that requires revealing private keys or source code. So they are doing the safest thing and refusing to sign any GPLv3 binaries.

Also, Secure Boot does not require MS to sign anything. OEMs can install any certificates they want into the firmware - I believe Dell will install Canonical's key on systems that ship with Ubuntu. And generally users are allowed to manually install their own certificates, though the process to do so is beyond what most end-users can handle.

Obviously with MS's dominance in the PC market OEMs are basically forced to install the MS keys on all their systems. If you want to deploy a UEFI binary widely, you would either need to get every OEM to install your key into their firmware or you get your binary signed by a key that's already on every system (i.e. Microsoft's key) but subject yourself to the key owner's restrictions.