Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Boot & Graphical Issues

This page covers the problems most users hit between pressing the power button and reaching a working desktop: Secure Boot and MOK enrollment, kernels that refuse to load, and graphics or session issues under GNOME on Wayland.

InterGenOS builds a fully signed boot chain and signs every kernel it boots, but Secure Boot enforcement is optional and off by default on the current fleet. Boot problems still often trace back to the signing chain rather than a missing driver, so this page leans heavily on the boot chain. For the full design — including what is signed versus enforced — see Verified Boot & Secure Boot.

Boot does not look like other distributions

InterGenOS ships no boot splash. There is no logo painted over the seconds between GRUB and the login screen. You see the kernel hand off to systemd, every service start with [OK] or [FAILED] markers, the network come up, and AppArmor load.

This is intended. A visible boot is a security signal: a broken mount, an odd module load, or a hardware change shows up immediately instead of hiding behind a logo. If you are used to a silent splash, the scrolling text is normal, not a fault.

MokManager appears at first boot

On the first boot after installing with Forge, the firmware notices a pending Machine Owner Key (MOK) enrollment request and runs MokManager before continuing. It is a small blue-text-on-black utility with three screens:

  1. “Perform MOK management” — press any key to start.
  2. “Enroll MOK” — review the certificate. The subject reads CN=InterGenOS Machine Owner Key. Confirm.
  3. “Enter password” — type the enrollment password Forge gave you on the install-complete screen (also written to the install log at /var/log/intergen-install.log). The password is single-use.

After enrollment, the system boots into InterGenOS normally and the firmware trusts your MOK from then on.

Write the enrollment password down before you reboot. You need it once, during this step.

MokManager appears on every boot

If boot stops at MokManager each time, enrollment never completed. Walk through the three screens above to completion. The firmware re-prompts until the key is actually enrolled.

MokManager rejected the password

MokManager allows three attempts, then reboots. A transposed digit is the usual cause; try again. If the password is lost, regenerate the MOK from a live ISO (see Regenerating the MOK).

A new kernel installs but will not boot

When you install or upgrade a kernel, InterGenOS rebuilds it into a Unified Kernel Image (UKI) and signs it on your machine with your MOK. If the firmware does not trust that MOK, Secure Boot refuses the UKI and you fall through to the recovery boot entry.

The common cause is that the MOK was never enrolled (or was un-enrolled) while the kernel post-install hook went ahead and signed a UKI with it. The fix:

  1. Boot the recovery entry, which loads the bare vmlinuz directly through signed GRUB.
  2. Re-enroll the MOK (see MokManager appears at first boot), or regenerate it (see Regenerating the MOK).
  3. Re-run the kernel post-install hook for the current kernel after enrollment so a trusted UKI is produced.

You never end up with a half-installed kernel. If UKI signing fails outright, the post-install hook falls back to writing the kernel and initramfs separately, and signed GRUB loads them directly under the same enforced signature verification.

The GRUB menu shows only the recovery entry

No UKI entries means UKI signing has been failing. Inspect /var/log/intergen-kernel-postinstall.log. The two common causes are a full ESP and a missing or unreadable MOK key file.

The ESP is full

Every installed kernel becomes a signed UKI in /boot/efi. A UKI is typically 80–150 MB depending on the initramfs payload, and Forge sizes the ESP for at least three kernels. If the partition fills, kernel install fails with a clear message. Free space by removing an old kernel:

pkm remove linux-kernel-<old-version>

UKI tooling is missing

If the installed system lacks the UKI builder (an older install, or one with a different boot path), reinstall it and re-run the post-install hook for the current kernel:

pkm install ukify sbsigntool

Regenerating the MOK

The MOK lives under /var/lib/intergen/mok/. On a default install Secure Boot is off, so there is no enrollment password to lose. If you run with Secure Boot enabled and need a fresh MOK, reinstalling with Forge regenerates one; the next kernel install or upgrade rebuilds the UKIs with it, and the GRUB-loads-vmlinuz recovery entry keeps the system bootable in the meantime. (There is no separate recovery wrapper command — UKI signing is handled by the kernel package’s post-install hook.)

The release signing key never touches your machine and is never asked to sign anything you produce locally. Your MOK lives only on your machine, at /var/lib/intergen/mok/.

Firmware will not let me change Secure Boot

Some firmware, especially on OEM laptops, makes the Secure Boot toggle read-only outside Setup Mode. InterGenOS does not require Setup Mode for normal operation; the standard MOK enrollment path is sufficient. If you do need to change firmware settings, consult your hardware vendor’s documentation for entering Setup Mode.

Graphical and session issues

InterGenOS ships GNOME 49 on Wayland. Hardware acceleration runs through the Mesa stack for AMD (Radeon) and Intel (Arc, Iris, UHD) GPUs, all installed and enabled by default. Wayland is the default display protocol; X11-only applications run through Xwayland automatically.

The shell becomes unresponsive

You can restart GNOME Shell without logging out: press Alt + F2, type r, and press Enter. Open applications keep running across the restart.

A monitor or external display misbehaves

GNOME 49 handles mixed-DPI and mixed-refresh-rate setups without configuration, and a hot-plugged monitor should work immediately. If a display is not detected as expected, check it in Settings → Displays, then move a window to it with Super + Shift + Arrow.

NVIDIA graphics

The base distribution does not ship proprietary firmware, and the NVIDIA driver is offered only when an NVIDIA GPU is present. It is an explicit opt-in:

pkm install nvidia

Accept the NVIDIA license when prompted, then follow the post-install instructions for enrolling the NVIDIA kernel module with your MOK. On a Secure Boot system, an out-of-tree module that is not signed and enrolled will not load, so this enrollment step is required for the driver to work.

An application cannot capture another window’s pixels or input

This is Wayland’s per-window isolation working as designed: each application sees only its own input and pixel buffer. Tools that expect the old X11 global-capture behavior may need a Wayland-native portal-based path instead.

  • Verified Boot & Secure Boot — the full boot-chain security model: what is verified, who signs what, and every recovery path.
  • Graphical session — GNOME 49 on Wayland, keyboard shortcuts, hardware acceleration, and what ships by default.
  • FAQ — quick answers to common questions.