From 5bad9a9d0a88316c577151fef5655299e58c74c2 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Fri, 29 May 2026 11:18:12 +0100
Subject: docs(bootstrap): mention optional linux-hardened EFI entry

The hardened kernel ships as a parallel UKI; document its efibootmgr
registration alongside the stock one. Stock stays default-boot;
hardened is selected on demand (efibootmgr --bootnext or firmware menu).
---
 bootstrap.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bootstrap.sh b/bootstrap.sh
index d6f986c..de244df 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -129,6 +129,10 @@ if [ -d /sys/firmware/efi ]; then
     # shellcheck disable=SC1003 # backslash is literal text shown to the user
     warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
     warn "      --label 'Arch UKI' --loader '\\EFI\\Linux\\arch-linux.efi'"
+    warn 'optionally, also register the linux-hardened UKI (opt-in boot):'
+    # shellcheck disable=SC1003
+    warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
+    warn "      --label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi'"
   fi
 fi
 
-- 
cgit v1.3.1