diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-29 11:18:16 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-29 11:18:16 +0100 |
| commit | a6f1e9026e5d19b50c7c522e30e6f216fc9f8180 (patch) | |
| tree | c001ab9b2f42054201ee6fe2ec08ec36b3902ec5 /etc/mkinitcpio.d | |
| parent | fdba57c9c05f321d3a75ae8f2e46e4053193744f (diff) | |
| download | dotfiles-a6f1e9026e5d19b50c7c522e30e6f216fc9f8180.tar.gz dotfiles-a6f1e9026e5d19b50c7c522e30e6f216fc9f8180.tar.bz2 dotfiles-a6f1e9026e5d19b50c7c522e30e6f216fc9f8180.zip | |
feat(kernel): swap stock linux for linux-lts as fallback kernel
Promotes linux-hardened to the sole primary kernel and replaces
linux with linux-lts as the safety-net fallback. Rationale:
- linux and linux-hardened track the same upstream major version
and ship within days of each other, so 'linux' was a poor
fallback for the regression class that historically takes out
the hardened kernel on this hardware (e.g. checkpoint 026
wake-from-suspend panic). linux-lts lags by weeks/months and is
almost always known-good when hardened breaks.
- Drop etc/mkinitcpio.d/linux.preset, add linux-lts.preset.
Hardened preset header + bootstrap.sh efibootmgr instructions
updated accordingly (hardened registered first so it's the
default; lts registered as the on-demand fallback).
- Also add mkinitcpio-firmware (AUR) to silence the spurious
'missing firmware' warnings during initramfs builds.
Manual host-side steps after deploy:
paru -S linux-lts linux-lts-headers mkinitcpio-firmware
sudo pacman -Rsn linux # or via 'just pkg-apply' undeclared flow
sudo rm -f /etc/mkinitcpio.d/linux.preset # chezmoi-deployed, not pkg-owned
sudo mkinitcpio -P
sudo efibootmgr # add the Arch LTS entries, drop the stock linux ones
Note: meta/nvidia.txt still lists 'linux-headers' for nvidia-dkms.
That's a per-host concern; flagged for follow-up if any nvidia host
moves to the linux-lts world.
Diffstat (limited to 'etc/mkinitcpio.d')
| -rw-r--r-- | etc/mkinitcpio.d/linux-hardened.preset | 24 | ||||
| -rw-r--r-- | etc/mkinitcpio.d/linux-lts.preset | 22 | ||||
| -rw-r--r-- | etc/mkinitcpio.d/linux.preset | 17 |
3 files changed, 37 insertions, 26 deletions
diff --git a/etc/mkinitcpio.d/linux-hardened.preset b/etc/mkinitcpio.d/linux-hardened.preset index fcb94a5..332b7e5 100644 --- a/etc/mkinitcpio.d/linux-hardened.preset +++ b/etc/mkinitcpio.d/linux-hardened.preset @@ -1,16 +1,22 @@ -# mkinitcpio preset for the 'linux-hardened' kernel. Produces a UKI at -# /boot/EFI/Linux/arch-linux-hardened.efi alongside the stock linux UKI. -# Uses its own cmdline file (etc/kernel/cmdline-linux-hardened.tmpl) to -# force `mem_sleep_default=s2idle`: this hardware's S3 firmware path -# wakes reliably on stock linux but hard-hangs the hardened kernel -# (INIT_ON_FREE + slab hardening turn a latent driver race fatal). -# Stock linux keeps the minimal etc/kernel/cmdline.tmpl. Register the -# EFI entry once with efibootmgr: +# mkinitcpio preset for the 'linux-hardened' kernel — the PRIMARY boot +# kernel on this host. Produces a UKI at +# /boot/EFI/Linux/arch-linux-hardened.efi alongside the linux-lts UKI +# (linux-lts is the fallback kernel for the rare case where a hardened +# upgrade breaks; see linux-lts.preset). Uses its own cmdline file +# (etc/kernel/cmdline-linux-hardened.tmpl) to force +# `mem_sleep_default=s2idle`: this hardware's S3 firmware path wakes +# reliably on the mainline/lts kernel but hard-hangs the hardened +# kernel (INIT_ON_FREE + slab hardening turn a latent driver race +# fatal). linux-lts keeps the minimal etc/kernel/cmdline.tmpl. +# +# Register the EFI entries (hardened first so it's the default boot): # # sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \ # --label 'Arch Hardened' --loader '\EFI\Linux\arch-linux-hardened.efi' +# sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \ +# --label 'Arch LTS' --loader '\EFI\Linux\arch-linux-lts.efi' # -# Boot it on demand via: sudo efibootmgr --bootnext XXXX && systemctl reboot +# Boot LTS on demand via: sudo efibootmgr --bootnext XXXX && systemctl reboot #ALL_config="/etc/mkinitcpio.conf" ALL_kver="/boot/vmlinuz-linux-hardened" diff --git a/etc/mkinitcpio.d/linux-lts.preset b/etc/mkinitcpio.d/linux-lts.preset new file mode 100644 index 0000000..d8caf04 --- /dev/null +++ b/etc/mkinitcpio.d/linux-lts.preset @@ -0,0 +1,22 @@ +# mkinitcpio preset file for the 'linux-lts' package. +# This is the fallback kernel: kept around so we can boot it when a +# linux-hardened upgrade breaks (LTS lags mainline by weeks and is +# almost always known-good). Uses the plain cmdline (no s2idle +# override — only linux-hardened needs that on this hardware; see the +# linux-hardened.preset header for details). + +#ALL_config="/etc/mkinitcpio.conf" +ALL_kver="/boot/vmlinuz-linux-lts" +#ALL_kerneldest="/boot/vmlinuz-linux-lts" + +PRESETS=('default' 'fallback') + +#default_config="/etc/mkinitcpio.conf" +#default_image="/boot/initramfs-linux-lts.img" +default_uki="/boot/EFI/Linux/arch-linux-lts.efi" +#default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp" + +#fallback_config="/etc/mkinitcpio.conf" +#fallback_image="/boot/initramfs-linux-lts-fallback.img" +fallback_uki="/boot/EFI/Linux/arch-linux-lts-fallback.efi" +fallback_options="-S autodetect" diff --git a/etc/mkinitcpio.d/linux.preset b/etc/mkinitcpio.d/linux.preset deleted file mode 100644 index c6e8929..0000000 --- a/etc/mkinitcpio.d/linux.preset +++ /dev/null @@ -1,17 +0,0 @@ -# mkinitcpio preset file for the 'linux' package - -#ALL_config="/etc/mkinitcpio.conf" -ALL_kver="/boot/vmlinuz-linux" -#ALL_kerneldest="/boot/vmlinuz-linux" - -PRESETS=('default' 'fallback') - -#default_config="/etc/mkinitcpio.conf" -#default_image="/boot/initramfs-linux.img" -default_uki="/boot/EFI/Linux/arch-linux.efi" -#default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp" - -#fallback_config="/etc/mkinitcpio.conf" -#fallback_image="/boot/initramfs-linux-fallback.img" -fallback_uki="/boot/EFI/Linux/arch-linux-fallback.efi" -fallback_options="-S autodetect" |