[Update and Support] Rufus USB Tool

Discussion in 'Application Software' started by user_hidden, Dec 3, 2013.

  1. eemuler

    eemuler MDL Senior Member

    Jul 31, 2015
    494
    192
    10
    I tried the garlin PS script you linked and it told me to install the KEK certificate manually, so I'll do the Mosby thing.
    garlin check01.png
    I ran the suggested command after navigating to the correct location, and it told me that revoking the existing 2011 KEK would not work as I didn't have the 2023 KEK.

    Btw, you need to create more awareness about Mosby - maybe mention it on the Rufus main screen (My other projects: or something like that). I had searched secure boot certificates update related stuff for days and I only heard about it when you mentined it above.
     
  2. Akeo

    Akeo MDL Senior Member

    Dec 10, 2013
    274
    1,912
    10
    Interesting. I know this is getting off-topic, but can you provide the full manufacturer and model or your machine (if pre-built) or motherboard (if you built it yourself)?

    That's not something I can do on my own. I need others to publicise it instead, because that's how it works. And I will not turn Rufus into an advertising screen for other products, even if I am the one developing them. Including Mosby into the UEFI Shell downloads, and advertising it there (in the readme) is far enough. And please bear in mind that the vast majority of Rufus users will absolutely not give a damn about what Mosby is or what it can do, and see any mention of it in Rufus as pure spam. So please don't assume that your personal experience is going to be a universal one...
     
  3. eemuler

    eemuler MDL Senior Member

    Jul 31, 2015
    494
    192
    10
  4. eemuler

    eemuler MDL Senior Member

    Jul 31, 2015
    494
    192
    10
    Should I change "Provision factory defaults" to Enabled?
     
  5. Akeo

    Akeo MDL Senior Member

    Dec 10, 2013
    274
    1,912
    10
    No. The "factory defaults" will be missing the 2023 certs on any firmware that is older than 1 or 2 years, so you don't want that, as it will leave you in the exact situation you are trying to address.
    What you want, if you are using Mobsy, is clear all keys, by resetting to Setup Mode, and then run Mosby to install all the new certs (including the 2023 ones) and latest DBX.

    Note that you obviously need Secure Boot off before you can enter Setup Mode and run Mosby.

    Also, this is getting a bit off-topic, as this is no longer related to Rufus. I would also strongly invite you to perform your own research as the purpose of "Provision factory defaults" for Secure Boot should be widely documented.
     
  6. Boyacaone

    Boyacaone MDL Novice

    Aug 3, 2009
    1
    0
    0
    My question is: I have all the correct certificates in Windows, but when using RUFUS, in the download tab and UEFI 2.2 it only allows the English version to be downloaded, with no option for other languages.
    Will more languages be added soon?
    Does this version already have the correct 2023 certificates?
    And will it not cause problems installing old certificates?

    Thank you.
     
  7. Akeo

    Akeo MDL Senior Member

    Dec 10, 2013
    274
    1,912
    10
    No.

    It's the UEFI Shell. It's only available in English. And the cost/benefit localizing the Shell (or Mosby) is simply way too high.

    Of course it does. There have been no "new" certificates, and there's only one set of 2023 ones, that has been available (and obviously NOT changed) since 2023.
    So, Mosby will install the correct 2023 certificates, since these will not change... EVER.
     
  8. Carlos Detweiller

    Carlos Detweiller Emperor of Ice-Cream
    Staff Member

    Dec 21, 2012
    8,076
    10,298
    270
    Certificates cannot be changed by their very own nature, just being revoked and new ones issued. Can you imagine the chaos that would break out if MS was forced to revoke the 2023 certs and to issue new ones?

    So, even IF that was the case (which it isn't), the new certs would obviously not be named 2003, but 2026. As already written, existing certificates are eternal and cannot be modified (not even extended). There is only one set of 2023 certs and they are signed by MS. There simply cannot be variants or modifications, and being able to modify existing certs would entirely defeat their purpose.


    Edit: I have used Rufus and the Mosby image to update certs on my laptop, as the lazy bums at ASUS won't do it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...