IncusOS: Boot after install fails with "Access Denied"

I’ve been attempting to install IncusOS on a Lenovo m910q mini PC but have hit a snag after installation.

The TPM is enabled (was surprised these boxes have TPM2 but have confirmed by looking in /sys/class/tpm/tpm0/device/description and successfully installing Windows 11) as is Secure Boot setup mode.

The installer runs and successfully enrolls the custom Secure Boot keys, reboots, and runs the installation through to completion but the first boot of IncusOS fails with the following error (in red text):

../src/boot/boot.c:2560@image_start: Error loading \EFI\Linux\IncusOS_202511100256.efi: Access denied

A search seems to indicate that these “Access denied” errors can occur if not everything is signed with the Secure Boot keys.

Is the Installer itself signed with the Secure Boot keys? If so then that would point to something not being signed in IncusOS. If not then the problem may just be the UEFI on this old box.

The .efi is exactly the same as was booted for the installation (unless something got corrupted on disk during copy), so the Access denied here is a bit odd.

It could be that this is an indirect access error, as in the system needs to load an additional component to perform EFI boot of that file (like the NVME storage driver) which fails as it’s not currently trusted due to the full Secure Boot reset from using Setup Mode.

Does your BIOS give you configuration options for the individual keys?

There’s no option in the BIOS for individual keys, but i think you’re right about the NVMe storage driver. I created a new installation image, this time targeting a SATA SSD and the system was able to get through first boot and is now up and running.

Thanks for the help.