feat(boot): add linux-hardened as parallel UKI

Installs linux-hardened + linux-hardened-headers alongside the stock
linux kernel. Stock kernel remains the default; linux-hardened is opt-in
via efibootmgr --bootnext after the EFI entry is registered (one-time
host-side step, documented in the preset).

After first 'just pkg-apply', mkinitcpio auto-builds
/boot/EFI/Linux/arch-linux-hardened.efi from the new preset (sharing
etc/kernel/cmdline.tmpl with the stock UKI — same LUKS root, no
kernel-specific cmdline knobs).

Host-side EFI entry registration:

  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
    --label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi'

Roll back any time by removing both packages and the preset file; the
stock kernel and its UKI are untouched.

1 files changed, 19 insertions, 0 deletions

diff --git a/etc/mkinitcpio.d/linux-hardened.preset b/etc/mkinitcpio.d/linux-hardened.preset
new file mode 100644
index 0000000..92da91c
--- /dev/null
+++ b/etc/mkinitcpio.d/linux-hardened.preset
@@ -0,0 +1,19 @@
+# mkinitcpio preset for the 'linux-hardened' kernel. Produces a UKI at
+# /boot/EFI/Linux/arch-linux-hardened.efi alongside the stock linux UKI.
+# Shares etc/kernel/cmdline.tmpl (same LUKS root, no kernel-specific
+# cmdline knobs). Register the EFI entry once with efibootmgr:
+#
+#   sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
+#     --label 'Arch Hardened' --loader '\EFI\Linux\arch-linux-hardened.efi'
+#
+# Boot it on demand via:  sudo efibootmgr --bootnext XXXX && systemctl reboot
+
+#ALL_config="/etc/mkinitcpio.conf"
+ALL_kver="/boot/vmlinuz-linux-hardened"
+
+PRESETS=('default' 'fallback')
+
+default_uki="/boot/EFI/Linux/arch-linux-hardened.efi"
+
+fallback_uki="/boot/EFI/Linux/arch-linux-hardened-fallback.efi"
+fallback_options="-S autodetect"