2 files changed, 7 insertions, 2 deletions

diff --git a/etc/kernel/cmdline-linux-hardened.tmpl b/etc/kernel/cmdline-linux-hardened.tmpl
new file mode 100644
index 0000000..d2e2973
--- /dev/null
+++ b/etc/kernel/cmdline-linux-hardened.tmpl
@@ -0,0 +1 @@
+rd.luks.name={{ output "lsblk" "-dno" "UUID" (printf "/dev/%s" .luksRootPartition) | trim }}=root root=/dev/mapper/root rw quiet init_on_free=0 nmi_watchdog=panic softlockup_panic=1 panic=10
diff --git a/etc/mkinitcpio.d/linux-hardened.preset b/etc/mkinitcpio.d/linux-hardened.preset
index 92da91c..960a24a 100644
--- a/etc/mkinitcpio.d/linux-hardened.preset
+++ b/etc/mkinitcpio.d/linux-hardened.preset
@@ -1,7 +1,10 @@
 # mkinitcpio preset for the 'linux-hardened' kernel. Produces a UKI at
 # /boot/EFI/Linux/arch-linux-hardened.efi alongside the stock linux UKI.
-# Shares etc/kernel/cmdline.tmpl (same LUKS root, no kernel-specific
-# cmdline knobs). Register the EFI entry once with efibootmgr:
+# Uses its own cmdline file (etc/kernel/cmdline-linux-hardened.tmpl)
+# to carry workarounds for hardened-specific suspend/resume hangs on
+# this hardware (init_on_free=0 + hang-detection knobs). The stock
+# linux UKI keeps the minimal etc/kernel/cmdline.tmpl. Register the
+# EFI entry once with efibootmgr:
 #
 #   sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
 #     --label 'Arch Hardened' --loader '\EFI\Linux\arch-linux-hardened.efi'
@@ -10,6 +13,7 @@
 
 #ALL_config="/etc/mkinitcpio.conf"
 ALL_kver="/boot/vmlinuz-linux-hardened"
+ALL_cmdline="/etc/kernel/cmdline-linux-hardened"
 
 PRESETS=('default' 'fallback')