No replies to this topic

[Akeo]

(Start a new thread once more, since this is a major version and I supposed the old thread has been getting long enough...)

 

It is with great pleasure that I announce the release of Rufus 4.0.

 

This new major release comes with the following changes:

• Fix persistent partition not working with Ubuntu 23.04
• Fix out of range pointer error with Ubuntu 23.04 when booting in BIOS mode
• Fix boot freeze with Ubuntu Studio when Secure Boot is enabled
• Fix incorrect architecture detection when checking for updates
• Fix a Windows Store application crash when processing GRUB bootloaders
• Fix a Windows Store application crash when enumerating processes that contain a % sign
• Fix a Windows Store application crash when using German localization

Whereas the changes from the last release are mostly fixes, the major version received a bump to 4.x on account that:

• Rufus is now requiring Windows 8 or later (Windows 7 is no longer supported)
• The Rufus executable now defaults to 64-bit x86 rather than 32-bit x86 (though a 32-bit x86 executable is provided if you still need one)
• Previous versions of Rufus might potentially not be able to update to a working 4.0 executable

We also decided not to go through a BETA for this release due to the Ubuntu 23.04 fixes needing to be released on a rather urgent basis.

 

Hopefully, this new release will live to your expectations. If not, I will remind you that you can always log an issue in the Rufus issue tracker.

 

Enjoy!

[misty]

Thanks Akeo.

Whilst I generally prefer/use a manual approach, Rufus is my goto when I can't be ars3d - it's portable, simple and intuitive.

Fantastic work.

[TheHive]

Thanks! and congrats on the new updates.

 

I was wondering if in the future, rufus could have an option to create output to a file vhd, img or something similar.

[Akeo]

Rufus 4.1 has been released:

• Add timeouts on enumeration queries that may stall on some systems
• Restore MS-DOS drive creation through the download of binaries from Microsoft
• Update the log button icon
• Fix UEFI:NTFS incompatibility with Windows Dev Kit 2023 platform
• Fix more GRUB 'out of range pointer' errors with Ubuntu/Fedora when booting in BIOS mode

[Akeo]

Rufus 4.2 BETA is now available from the usual location.

This new version brings the following changes:

• Add detection and warning for UEFI revoked bootloaders (including ones revoked through SkuSiPolicy.p7b)
• Add ZIP64 support, to extract .zip images that are larger than 4 GB
• Add saving and restoring current drive to/from compressed VHDX image
• Add saving and restoring current drive to/from compressed FFU (Full Flash Update) image [EXPERIMENTAL]
• Fix a crash when trying to open Windows ISOs, with the x86 32-bit version
• Increase ISO → ESP limit, for Debian 12 netinst images
• Make sure the main partition size is aligned to the cluster size

Of special interest, I will mention the first item that has to do with warning users if they are using a UEFI bootloader that has been revoked, which mostly stems from the slew of revocations that have been added in the wake of Black Lotus.

As of now, and with the big question mark of what tomorrow's patch tuesday will bring for the second phase of Microsoft's inscrutable Black Lotus mitigation (see here), Rufus will attempt to detect revoked bootloaders from the official UEFI DBX as well as Windows' SkuSiPolicy.p7b, which means that, on a Windows system that have received the relevant May update, you will see something similar to this in your log:

Found 517 officially revoked UEFI bootloaders from embedded list
Found 2351 additional revoked UEFI bootloaders from this system's SKUSiPolicy.p7b

Then, if you happen to use a Windows or ISO that happens to use a revoked bootloader, you will see one of these screens depending on whether the revocation came from the DBX or SKUSiPolicy.p7b on account that SKU Policy based revocation are not handled by the UEFI firmware itself but by Microsoft's boot manager:



However, this whole Black Lotus revocation thing is still a massive mess, especially as, currently, every single of these 3 lines from Microsoft's official https://uefi.org/sit...elease_info.pdf detailing the revocation is inaccurate:

• Boot Managers from Windows 8 to Windows 10, version 1507: revoked by DBX entries
• Boot Managers from Windows 10, version 1507 to Windows 10, version 1607: revoked by hash by SKU SiPolicy
• Boot Managers from Windows 10, version 1703 to today: revoked by version number by SKU SiPolicy

First one is inaccurate on account that, currently, the Boot Managers from official Windows 8 releases, such as en-gb_windows_8.1_with_update_x64_dvd_4048142.iso are being let through.
Second one is inaccurate on account that. currently, the Boot Managers from official post 1507 and pre 1607 Windows 10 releases, such as en_windows_10_multiple_editions_version_1511_x64_dvd_7223712.iso or en_windows_10_multiple_editions_version_1511_updated_feb_2016_x64_dvd_8379634.iso are not revoked from SKU SiPolicy.
And finally, the third one is inaccurate because the SKU SiPolicy that Microsoft published in May contains absolutely no rule to revocate any binaries by version numbers.

For more on this, you may want to see https://github.com/p...fus/issues/2244. Thus. seeing how botched Microsoft's current Black Lotus mitigation appears to be, one can only wonder how on earth they were left in complete control of the whole Secure Boot signing process (Oh, and you gotta love the irony of Microsoft pushing for their own version of Secure Boot that is "more secure than Secure Boot", where, on Microsoft controlled hardware, they don't allow standard Secure Boot signed bootloaders to go through by default, on account that, according to Microsoft, they might not be as trustworthy as the oh-so-much-safer bootloaders Microsoft produces, only for Microsoft to get exposed with their pants down with a vulnerability that, by the first quarter of 2024, will have forced them to essentially revoke every single Secure Boot signed Windows bootloader that they produced before March 2023).

But anyway, provided Microsoft eventually get their act together, Rufus will try to detect and warn you about using a vulnerable UEFI bootloader...


The other point that might be of interest is experimental support for saving and restoring .ffu image media.
While not much has been made of .ffu to date (and I certainly have not seen Microsoft providing Windows .ffu installation images like they provide Windows ISO installation images), one of the big advantages of .ffu, provided that most of your media you use a Windows file system like NTFS, is that it is smart enough not to perform a sector by sector copy, where you then have to contend with any garbage left over from using quick format rather than slow/full format, but only copy the clusters that are actually in use by the file system, which, can lead to both drastic save/restore speed as well as unheard levels of compression.

For instance, you could create a UEFI:NTFS media from a 1 TB drive, and find that it will compress to only the amount of NTFS data that is actually be used, and create or restore the whole 1 TB .ffu media in a matters of seconds. Note however that, as far as NTFS is concerned, this requires the NTFS partition size to be an exact multiple of the cluster size (hence the reason for the last item from the new ChangeLog).

But of course, unless you create NTFS based Linux installation media, and that doesn't include anything fancy like persistence (or weird ISOHybrid partitions -- there's a reason why Rufus does not default to using DD mode with ISOHybrid), you can forget about benefiting from the .ffu advanges on anything non Windows...

[Akeo]

Rufus 4.2 has now been released.

 

The final ChangeLog is:

• Add detection and warning for UEFI revoked bootloaders (including ones revoked through SkuSiPolicy.p7b)
• Add ZIP64 support, to extract .zip images that are larger than 4 GB
• Add saving and restoring current drive to/from compressed VHDX image
• Add saving and restoring current drive to/from compressed FFU (Full Flash Update) image [EXPERIMENTAL]
• Fix a crash when trying to open Windows ISOs, with the MinGW compiled x86 32-bit version
• Fix an issue where ISOs that contain a boot image with an 'EFI' label are not detected as bootable
• Increase the ISO → ESP limit for Debian 12 netinst images
• Ensure that the main partition size is aligned to the cluster size

[Akeo]

Rufus 4.3 has been released:

• Add support for Rock Ridge symbolic links preservation when NTFS is used
• Add an exception to enforce NTFS for Linux Mint's LMDE
• Add an expert feature to restrict a Windows installation to S Mode
• Fix persistence support for Debian 12 when booted in BIOS mode
• Fix a regression that prevented the opening of .vhd images
• Update UEFI:NTFS to report a more explicit error on bootmgr security issues
• Improve the search for conflicting processes by running it in a background thread
• Improve support for Slax Linux

[Akeo]

Rufus 4.4 has now been released:

• Add workaround for distros that use broken symbolic links as their UEFI bootloaders (such as Mint 21.3)
• Add support for GRUB 2.12
• Fix a crash when saving .ffu images
• Fix UEFI:NTFS partition not being added, in MBR mode, for some Linux ISOs
• Prevent Microsoft Dev Drives from being listed
• Improve support for SDXC card readers
• Improve Large FAT32 formatting by aligning start of data regions to 1 MB (courtesy of Fred)

[Akeo]

Rufus 4.5 BETA is now available.

 

This upcoming release brings the following changes:

• Add a new advanced option, that adds runtime UEFI media validation to suitable images (Windows, most Linux)
• Move the Use Rufus MBR advanced option to a cheat mode (Alt-A)
• Fix truncation of VHDX images, as well as a benign error message when writing VHD/VHDX
• Fix support for Linux persistence in some configurations (Mint, Ubuntu 24.04)
• Fix multiple potential vulnerabilities (with thanks to Mansour Gashasbi)
• Update internal GRUB to version 2.12
• Update UEFI:NTFS to latest (now always uses the ntfs-3g driver, rather than the buggy AMI NTFS one)
• Increase buffer size when copying ISO files, in an attempt to minimize the AMI NTFS UEFI driver bug
• Improve partition creation handling
• Don't display the WUE dialog when a conflicting unattend.xml already exists

 

The most interesting change from this release has to be the runtime UEFI media validation option (which you will find under the advanced drive properties section) and that, when selected, adds a UEFI bootloader which performs runtime MD5Sum validation of the media.

 

This can for instance be enabled with Windows ISOs to ensure that the system you are booting from on does not see any corruption with the installation media. Given the unreliability of generic flash based media, and especially of cheap USB flash drives, we believe that performing runtime validation is a much more desirable option than performing a one-of validation at write time (which is what balenaEtcher and to a lesser extent Micrsoft's MCT do), as the media can very much fail between the time you write to it and the time you read content from it.

 

Obviously, since this requires chain loading bootloaders, and doing so is complex to do for BIOS, this is only available for UEFI images, and when the image is not written in DD mode, which means it can be applied to any modern Windows ISO as well as most recent Linux ISOs. Once enabled, you will be greeted with something like this every time you boot the media (which you can interrupt at any time of course):

 

 

Oh, and the bootloader is Secure Boot signed, so this will work in Secure Boot enabled environments as well.

 

Now of course, all of this is great... until you happen to try to validate Windows media on systems that use the infamous AMI NTFS UEFI driver because, as mentioned in the notes above, the AMI NTFS driver has a major bug where it may completely misread data (basically, under some circumstances, it appears to reset to reading to the beginning of a file instead of continuing from the last position, which is better than producing garbage data I guess, but still not exactly what one wants from a working file system driver), which can result in the media validation process to report MD5Sum errors when none actually exist! And sadly, the chances is that if you do have a UEFI system that can read NTFS, it will use the AMI proprietary NTFS driver, so you are likely to be affected...

 

If you are interested, the whole thing is detailed at https://github.com/pbatard/AmiNtfsBug. AMI have of course been notified, a couple months ago, but have yet to produce a more substantial response than "We'll look into it". Thankfully, since Rufus also install its own UEFI:NTFS bootloader and its own NTFS driver, if you create an NTFS partition for UEFI boot, you can always work around this issue by booting from the  UEFI:NTFS partition on the media instead of the main one, as UEFI:NTFS will kick-out the AMI NTFS driver to where it belongs and instead replace it with its own, derived from the well-tested and Open Source ntfs-3g project, and not affected by this issue.

 

Also note however that, even if you do boot using the buggy AMI NTFS driver, this is unlikely to affect a Windows installation, as my understanding is that, once booted, the Windows installer uses its own driver to read from the installation media, rather than rely on the UEFI one, and that all the UEFI bootloader data that is read prior to that, through the buggy driver, will be read in one go, in which case the bug should not trigger.

 

Still, this is what you get for not wanting to work with the EDK2 or the ntfs-3g folks to produce an actual Open Source UEFI NTFS driver (which would have really helped users all over the world in ensure that they can use media with files larger than 4 GB with UEFI) and instead insisting on going the proprietary, closed-source route, with the result of now having this bug present on millions of machines. Yup, great job here AMI!...