Per-Device Install Notes
This page collects hardware-specific notes for installing InterGenOS on named devices and common device classes. It exists because firmware behavior, not InterGenOS itself, is the usual source of install friction: how a given board exposes Secure Boot, how it stages a Machine Owner Key (MOK), and what its UEFI menus call things vary by vendor.
InterGenOS builds a fully signed boot chain, but it does not require UEFI Secure Boot — the default fleet install runs with Secure Boot off. The notes below help you get a specific machine installed, and, if you want firmware-enforced verification, into a state where MOK enrollment works.
If your exact device is not listed, the general flow in Verified Boot & Secure Boot and the FORGE Installation Guide applies unchanged. The device-class notes here are additions, not replacements.
Before you start: what every device needs
Regardless of make and model, a successful install needs the firmware in this state:
- UEFI mode, not legacy/CSM/BIOS-compatibility boot. This is the one hard requirement.
- The signed shim boots either way. InterGenOS boots through a Microsoft-signed shim — Fedora’s pre-signed shim, which the firmware trusts via the Microsoft third-party CA — so most off-the-shelf machines boot the live ISO without any firmware change — whether Secure Boot is on or off.
- (Optional) the ability to enroll a MOK, only if you want Secure Boot enforcement. FORGE generates a per-machine MOK during install; on hardware where you enable Secure Boot, MokManager enrolls it at the next reboot using a single-use password. The default fleet install leaves Secure Boot off and skips this step.
You do not need Setup Mode for normal operation.
OEM laptops with a greyed-out Secure Boot toggle
Some firmware, especially on OEM laptops, makes the Secure Boot setting read-only unless the machine is in Setup Mode. This shows up as a greyed-out Secure Boot toggle in the firmware menu.
You generally do not need to change anything: InterGenOS installs and runs whether Secure Boot is on or off, so a greyed-out toggle in either state is fine. If you want Secure Boot enforcement and the toggle is greyed out in a disabled state, consult your hardware vendor’s documentation for entering Setup Mode. InterGenOS does not require Setup Mode itself.
Machines where MokManager does not appear
On the first boot after install, the firmware should detect the pending MOK enrollment request and run MokManager (a small blue-text-on-black utility) before continuing. If MokManager never appears and a freshly installed kernel will not boot, the system falls through to a recovery boot entry that loads the bare kernel directly. From there you can re-enroll or regenerate the MOK. The full symptom-to-fix walkthrough is in Verified Boot & Secure Boot.
The recovery boot entry exists precisely so that a missed enrollment never leaves you with an unbootable machine.
UEFI System Partition (ESP) sizing
This is hardware-adjacent rather than device-specific, and it matters most on machines with small or pre-partitioned ESPs. Every kernel you install becomes a Unified Kernel Image (UKI) in the ESP, and a typical UKI is 80–150 MB. FORGE creates a fixed 1 GiB ESP during partitioning, leaving room for several kernel generations.
If you are installing alongside an existing OS and reusing its small ESP, expect kernel installs to fail once it fills. The cleaner path is to let FORGE create an ESP at its minimum size or larger.
Encrypted installs
The encrypted-install option works the same across devices: FORGE folds a small full-disk-encryption initramfs (the LUKS unlock prompt) into the same signed UKI as the kernel, so one signature covers the entire boot path including the unlock step. See Disk Encryption & LUKS for the full flow.
TPM2-sealed unlock is an experimental v1.0 feature. If your device has a TPM2 and you opt into sealed unlock, the bits that talk to the TPM live inside the same signed UKI envelope. The TPM is not a way to skip Secure Boot verification.
Graphics and out-of-tree drivers
InterGenOS ships GNOME 49 on Wayland today. Open-source graphics drivers built into the signed kernel need no extra steps.
If your device needs out-of-tree modules (for example, proprietary GPU drivers via DKMS) and you are running with Secure Boot enabled, the firmware will not load them unsigned. Sign them with your own MOK and install them through the standard package-manager flow, the same mechanism that signs your kernels. See the out-of-tree-module discussion in Verified Boot & Secure Boot and the Per-GPU Driver Notes.
Reporting a device
If you install InterGenOS on a device not covered here and hit a firmware-specific snag (or confirm a clean install), that information is worth capturing so the next person with the same hardware has a head start. See the FAQ for where to take questions and reports.
See also
- Verified Boot & Secure Boot — the full boot-chain model, MOK enrollment screens, kernel signing, and recovery paths.
- FORGE Installation Guide — the end-to-end installer flow.
- Disk Encryption & LUKS — encrypted-install details.
- Recovery & Reinstall — recovering a machine that will not boot.
- FAQ — common install questions.