fix(suspend): load intel_lpss_pci from initramfs (Arch wiki touchpad fix)

Symptoms (Intel CPU + linux-hardened + blinking caps lock + hard
hang on resume from S3) are a direct match for the Arch wiki entry:

  https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Touchpad_causes_a_kernel_panic_on_resume
  https://bbs.archlinux.org/viewtopic.php?id=231881

When intel_lpss_pci is loaded late (via udev after userspace is up),
the touchpad/I2C controller it parents can be torn down by suspend
before the module's resume callback is registered, leading to a
NULL-deref panic during resume. The kernel never makes it far enough
to flush logs — which matches our 'PM: suspend entry (deep)' being
the last journal line.

Fix: load intel_lpss_pci from the initramfs so it's available before
the suspend/resume code path runs.

Why this only bites linux-hardened: the hardening config enables
INIT_ON_FREE, slab freelist hardening, page poisoning, and stricter
pointer validation, which turn what's a silent UAF on stock linux
into an immediate panic on hardened. Stock 'just works' by accident.

Also drop the speculative init_on_free=0 from the hardened cmdline
now that we have a targeted hypothesis. Keep nmi_watchdog=panic +
softlockup_panic=1 + panic=10 as belt-and-braces: if this fix is
wrong, the next hang will auto-reboot with a usable panic log in
'journalctl -b -1 -k' instead of needing the power button again.

3 files changed, 5 insertions, 6 deletions

diff --git a/etc/kernel/cmdline-linux-hardened.tmpl b/etc/kernel/cmdline-linux-hardened.tmpl
index d2e2973..e77f3c3 100644
--- a/etc/kernel/cmdline-linux-hardened.tmpl
+++ b/etc/kernel/cmdline-linux-hardened.tmpl
@@ -1 +1 @@
-rd.luks.name={{ output "lsblk" "-dno" "UUID" (printf "/dev/%s" .luksRootPartition) | trim }}=root root=/dev/mapper/root rw quiet init_on_free=0 nmi_watchdog=panic softlockup_panic=1 panic=10
+rd.luks.name={{ output "lsblk" "-dno" "UUID" (printf "/dev/%s" .luksRootPartition) | trim }}=root root=/dev/mapper/root rw quiet nmi_watchdog=panic softlockup_panic=1 panic=10
diff --git a/etc/mkinitcpio.conf b/etc/mkinitcpio.conf
index fab5fa1..d8ae3ff 100644
--- a/etc/mkinitcpio.conf
+++ b/etc/mkinitcpio.conf
@@ -4,7 +4,7 @@
 # run.  Advanced users may wish to specify all system modules
 # in this array.  For instance:
 #     MODULES=(usbhid xhci_hcd)
-MODULES=()
+MODULES=(intel_lpss_pci)
 
 # BINARIES
 # This setting includes any additional binaries a given user may
diff --git a/etc/mkinitcpio.d/linux-hardened.preset b/etc/mkinitcpio.d/linux-hardened.preset
index 960a24a..90be917 100644
--- a/etc/mkinitcpio.d/linux-hardened.preset
+++ b/etc/mkinitcpio.d/linux-hardened.preset
@@ -1,10 +1,9 @@
 # mkinitcpio preset for the 'linux-hardened' kernel. Produces a UKI at
 # /boot/EFI/Linux/arch-linux-hardened.efi alongside the stock linux UKI.
 # Uses its own cmdline file (etc/kernel/cmdline-linux-hardened.tmpl)
-# to carry workarounds for hardened-specific suspend/resume hangs on
-# this hardware (init_on_free=0 + hang-detection knobs). The stock
-# linux UKI keeps the minimal etc/kernel/cmdline.tmpl. Register the
-# EFI entry once with efibootmgr:
+# carrying hang-detection knobs while we validate the suspend/resume
+# fix on this hardware. The stock linux UKI keeps the minimal
+# etc/kernel/cmdline.tmpl. Register the EFI entry once with efibootmgr:
 #
 #   sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
 #     --label 'Arch Hardened' --loader '\EFI\Linux\arch-linux-hardened.efi'