diff --git a/linux/build/config/silvermetal-base.conf b/linux/build/config/silvermetal-base.conf
index e52d734..cc6f73a 100644
--- a/linux/build/config/silvermetal-base.conf
+++ b/linux/build/config/silvermetal-base.conf
@@ -16,8 +16,19 @@ DERIVATIVE_BUILD_TARGET="iso"
 # Kicksecure's derivative-maker exposes "build flavour" as the upstream
 # selector. We ride on the plain Kicksecure CLI flavour here. M1.2 will
 # switch this to a SilverMetal-Hardened flavour with our overlay.
+# Upstream spells the CLI flag --flavor (American), so the variable name
+# below is intentionally British but the flag passed in build-inner.sh
+# is the upstream spelling.
 DERIVATIVE_FLAVOUR="kicksecure-cli"
 
+# Nonfree firmware switch (mandatory for amd64/i386 — parse-cmd errors
+# otherwise). Kicksecure's public ISOs choose "false" (nonfree firmware
+# included) so the resulting image actually boots on real hardware
+# (wifi, GPU, microcode). M1.1 follows that choice; the hardening
+# overlay in M1.2+ can revisit if there's a privacy-vs-functionality
+# argument worth reopening.
+DERIVATIVE_FREEDOM="false"
+
 # --- Branding (reads shared/branding/linux-iso-meta.yaml at script time) ----
 # These mirror the YAML; the wrapper script reconciles them so we don't have
 # two sources of truth for the same value. If they diverge, build.sh fails.
diff --git a/linux/build/scripts/build-inner.sh b/linux/build/scripts/build-inner.sh
index 3975f97..1dd0834 100755
--- a/linux/build/scripts/build-inner.sh
+++ b/linux/build/scripts/build-inner.sh
@@ -28,13 +28,19 @@ source "${REPO_ROOT}/linux/build/config/silvermetal-base.conf"
 
 cd "${REPO_ROOT}/linux/build/derivative-maker"
 
+# CLI grammar comes from derivative-maker/help-steps/parse-cmd. The
+# valid options are a closed set; passing anything else (including
+# --build, --dist, or --config) trips the "unknown option" guard at
+# parse-cmd line 725. Spelling matters too: upstream uses --flavor
+# (American), not --flavour. --freedom is mandatory for amd64/i386.
+# Dist is implicit from --flavor (kicksecure-cli => bookworm), and
+# the silvermetal-base.conf is sourced into the env above rather than
+# passed as a flag because derivative-maker has no --config option.
 ./derivative-maker \
-    --build \
+    --flavor  "${DERIVATIVE_FLAVOUR}" \
     --target  "${DERIVATIVE_BUILD_TARGET}" \
-    --flavour "${DERIVATIVE_FLAVOUR}" \
     --arch    "${DERIVATIVE_TARGET_ARCH}" \
-    --dist    "${DERIVATIVE_DIST}" \
-    --config  "${REPO_ROOT}/linux/build/config/silvermetal-base.conf"
+    --freedom "${DERIVATIVE_FREEDOM}"
 
 # derivative-maker writes into its own build/ tree; collect into BUILD_DIR.
 # Exact upstream output paths can shift between tags — keep this tolerant.