diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/kernel/cmdline-linux-hardened.tmpl | 2 | ||||
| -rw-r--r-- | etc/mkinitcpio.conf | 2 | ||||
| -rw-r--r-- | etc/mkinitcpio.d/linux-hardened.preset | 10 | ||||
| -rw-r--r-- | etc/systemd/logind.conf.d/20-no-suspend.conf | 17 |
4 files changed, 8 insertions, 23 deletions
diff --git a/etc/kernel/cmdline-linux-hardened.tmpl b/etc/kernel/cmdline-linux-hardened.tmpl index 45dff5e..be99a9c 100644 --- a/etc/kernel/cmdline-linux-hardened.tmpl +++ b/etc/kernel/cmdline-linux-hardened.tmpl @@ -1 +1 @@ -rd.luks.name={{ output "lsblk" "-dno" "UUID" (printf "/dev/%s" .luksRootPartition) | trim }}=root root=/dev/mapper/root rw mem_sleep_default=s2idle no_console_suspend nmi_watchdog=panic softlockup_panic=1 panic=10 +rd.luks.name={{ output "lsblk" "-dno" "UUID" (printf "/dev/%s" .luksRootPartition) | trim }}=root root=/dev/mapper/root rw quiet mem_sleep_default=s2idle diff --git a/etc/mkinitcpio.conf b/etc/mkinitcpio.conf index d8ae3ff..fab5fa1 100644 --- a/etc/mkinitcpio.conf +++ b/etc/mkinitcpio.conf @@ -4,7 +4,7 @@ # run. Advanced users may wish to specify all system modules # in this array. For instance: # MODULES=(usbhid xhci_hcd) -MODULES=(intel_lpss_pci) +MODULES=() # BINARIES # This setting includes any additional binaries a given user may diff --git a/etc/mkinitcpio.d/linux-hardened.preset b/etc/mkinitcpio.d/linux-hardened.preset index 90be917..fcb94a5 100644 --- a/etc/mkinitcpio.d/linux-hardened.preset +++ b/etc/mkinitcpio.d/linux-hardened.preset @@ -1,9 +1,11 @@ # mkinitcpio preset for the 'linux-hardened' kernel. Produces a UKI at # /boot/EFI/Linux/arch-linux-hardened.efi alongside the stock linux UKI. -# Uses its own cmdline file (etc/kernel/cmdline-linux-hardened.tmpl) -# carrying hang-detection knobs while we validate the suspend/resume -# fix on this hardware. The stock linux UKI keeps the minimal -# etc/kernel/cmdline.tmpl. Register the EFI entry once with efibootmgr: +# Uses its own cmdline file (etc/kernel/cmdline-linux-hardened.tmpl) to +# force `mem_sleep_default=s2idle`: this hardware's S3 firmware path +# wakes reliably on stock linux but hard-hangs the hardened kernel +# (INIT_ON_FREE + slab hardening turn a latent driver race fatal). +# Stock linux keeps the minimal etc/kernel/cmdline.tmpl. Register the +# EFI entry once with efibootmgr: # # sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \ # --label 'Arch Hardened' --loader '\EFI\Linux\arch-linux-hardened.efi' diff --git a/etc/systemd/logind.conf.d/20-no-suspend.conf b/etc/systemd/logind.conf.d/20-no-suspend.conf deleted file mode 100644 index 1b58aa4..0000000 --- a/etc/systemd/logind.conf.d/20-no-suspend.conf +++ /dev/null @@ -1,17 +0,0 @@ -[Login] -# Suspend is disabled while the linux-hardened wake-from-S3 hang is -# unresolved (NVMe / i915 / iwlwifi driver UAF surfaced by INIT_ON_FREE -# + slab hardening). Lid close, suspend/hibernate keys, and idle action -# all fall back to session lock instead of suspend. The sleep/suspend/ -# hibernate targets are also masked at the unit level via the etc/ -# deploy script as belt-and-braces against `systemctl suspend` from -# anywhere. Screen-off (DPMS) and swaylock continue to be driven by -# swayidle and are unaffected. -HandleLidSwitch=lock -HandleLidSwitchExternalPower=lock -HandleLidSwitchDocked=ignore -HandleSuspendKey=lock -HandleSuspendKeyLongPress=ignore -HandleHibernateKey=lock -HandleHibernateKeyLongPress=ignore -IdleAction=ignore |