5 files changed, 46 insertions, 33 deletions

diff --git a/bootstrap.sh b/bootstrap.sh
index afa4909..2f35f9d 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -125,20 +125,20 @@ if [ -d /sys/firmware/efi ]; then
   if ! sudo efibootmgr 2>/dev/null | grep -iq arch; then
     warn 'no Arch Linux EFI boot entry found'
     warn 'after first kernel install, run: sudo mkinitcpio -P'
-    warn 'then register the UKI with efibootmgr, for example:'
+    warn 'then register the UKIs with efibootmgr (hardened first so it'\''s the default):'
     # shellcheck disable=SC1003 # backslash is literal text shown to the user
     warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
-    warn "      --label 'Arch UKI' --loader '\\EFI\\Linux\\arch-linux.efi'"
+    warn "      --label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi'"
     # shellcheck disable=SC1003
     warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
-    warn "      --label 'Arch UKI Fallback' --loader '\\EFI\\Linux\\arch-linux-fallback.efi'"
-    warn 'optionally, also register the linux-hardened UKIs (opt-in boot):'
+    warn "      --label 'Arch Hardened Fallback' --loader '\\EFI\\Linux\\arch-linux-hardened-fallback.efi'"
+    warn 'and the linux-lts fallback kernel UKIs:'
     # shellcheck disable=SC1003
     warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
-    warn "      --label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi'"
+    warn "      --label 'Arch LTS' --loader '\\EFI\\Linux\\arch-linux-lts.efi'"
     # shellcheck disable=SC1003
     warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
-    warn "      --label 'Arch Hardened Fallback' --loader '\\EFI\\Linux\\arch-linux-hardened-fallback.efi'"
+    warn "      --label 'Arch LTS Fallback' --loader '\\EFI\\Linux\\arch-linux-lts-fallback.efi'"
   fi
 fi
 
diff --git a/etc/mkinitcpio.d/linux-hardened.preset b/etc/mkinitcpio.d/linux-hardened.preset
index fcb94a5..332b7e5 100644
--- a/etc/mkinitcpio.d/linux-hardened.preset
+++ b/etc/mkinitcpio.d/linux-hardened.preset
@@ -1,16 +1,22 @@
-# mkinitcpio preset for the 'linux-hardened' kernel. Produces a UKI at
-# /boot/EFI/Linux/arch-linux-hardened.efi alongside the stock linux UKI.
-# Uses its own cmdline file (etc/kernel/cmdline-linux-hardened.tmpl) to
-# force `mem_sleep_default=s2idle`: this hardware's S3 firmware path
-# wakes reliably on stock linux but hard-hangs the hardened kernel
-# (INIT_ON_FREE + slab hardening turn a latent driver race fatal).
-# Stock linux keeps the minimal etc/kernel/cmdline.tmpl. Register the
-# EFI entry once with efibootmgr:
+# mkinitcpio preset for the 'linux-hardened' kernel — the PRIMARY boot
+# kernel on this host. Produces a UKI at
+# /boot/EFI/Linux/arch-linux-hardened.efi alongside the linux-lts UKI
+# (linux-lts is the fallback kernel for the rare case where a hardened
+# upgrade breaks; see linux-lts.preset). Uses its own cmdline file
+# (etc/kernel/cmdline-linux-hardened.tmpl) to force
+# `mem_sleep_default=s2idle`: this hardware's S3 firmware path wakes
+# reliably on the mainline/lts kernel but hard-hangs the hardened
+# kernel (INIT_ON_FREE + slab hardening turn a latent driver race
+# fatal). linux-lts keeps the minimal etc/kernel/cmdline.tmpl.
+#
+# Register the EFI entries (hardened first so it's the default boot):
 #
 #   sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
 #     --label 'Arch Hardened' --loader '\EFI\Linux\arch-linux-hardened.efi'
+#   sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
+#     --label 'Arch LTS' --loader '\EFI\Linux\arch-linux-lts.efi'
 #
-# Boot it on demand via:  sudo efibootmgr --bootnext XXXX && systemctl reboot
+# Boot LTS on demand via:  sudo efibootmgr --bootnext XXXX && systemctl reboot
 
 #ALL_config="/etc/mkinitcpio.conf"
 ALL_kver="/boot/vmlinuz-linux-hardened"
diff --git a/etc/mkinitcpio.d/linux-lts.preset b/etc/mkinitcpio.d/linux-lts.preset
new file mode 100644
index 0000000..d8caf04
--- /dev/null
+++ b/etc/mkinitcpio.d/linux-lts.preset
@@ -0,0 +1,22 @@
+# mkinitcpio preset file for the 'linux-lts' package.
+# This is the fallback kernel: kept around so we can boot it when a
+# linux-hardened upgrade breaks (LTS lags mainline by weeks and is
+# almost always known-good). Uses the plain cmdline (no s2idle
+# override — only linux-hardened needs that on this hardware; see the
+# linux-hardened.preset header for details).
+
+#ALL_config="/etc/mkinitcpio.conf"
+ALL_kver="/boot/vmlinuz-linux-lts"
+#ALL_kerneldest="/boot/vmlinuz-linux-lts"
+
+PRESETS=('default' 'fallback')
+
+#default_config="/etc/mkinitcpio.conf"
+#default_image="/boot/initramfs-linux-lts.img"
+default_uki="/boot/EFI/Linux/arch-linux-lts.efi"
+#default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
+
+#fallback_config="/etc/mkinitcpio.conf"
+#fallback_image="/boot/initramfs-linux-lts-fallback.img"
+fallback_uki="/boot/EFI/Linux/arch-linux-lts-fallback.efi"
+fallback_options="-S autodetect"
diff --git a/etc/mkinitcpio.d/linux.preset b/etc/mkinitcpio.d/linux.preset
deleted file mode 100644
index c6e8929..0000000
--- a/etc/mkinitcpio.d/linux.preset
+++ /dev/null
@@ -1,17 +0,0 @@
-# mkinitcpio preset file for the 'linux' package
-
-#ALL_config="/etc/mkinitcpio.conf"
-ALL_kver="/boot/vmlinuz-linux"
-#ALL_kerneldest="/boot/vmlinuz-linux"
-
-PRESETS=('default' 'fallback')
-
-#default_config="/etc/mkinitcpio.conf"
-#default_image="/boot/initramfs-linux.img"
-default_uki="/boot/EFI/Linux/arch-linux.efi"
-#default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
-
-#fallback_config="/etc/mkinitcpio.conf"
-#fallback_image="/boot/initramfs-linux-fallback.img"
-fallback_uki="/boot/EFI/Linux/arch-linux-fallback.efi"
-fallback_options="-S autodetect"
diff --git a/meta/base.txt b/meta/base.txt
index f77b85b..616d22c 100644
--- a/meta/base.txt
+++ b/meta/base.txt
@@ -18,10 +18,12 @@ dosfstools
 fwupd
 iwd
 kernel-modules-hook
-linux
 linux-firmware
+mkinitcpio-firmware
 linux-hardened
 linux-hardened-headers
+linux-lts
+linux-lts-headers
 lostfiles
 lshw
 man-db