From a6f1e9026e5d19b50c7c522e30e6f216fc9f8180 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Fri, 29 May 2026 11:18:16 +0100
Subject: feat(kernel): swap stock linux for linux-lts as fallback kernel

Promotes linux-hardened to the sole primary kernel and replaces
linux with linux-lts as the safety-net fallback. Rationale:

- linux and linux-hardened track the same upstream major version
  and ship within days of each other, so 'linux' was a poor
  fallback for the regression class that historically takes out
  the hardened kernel on this hardware (e.g. checkpoint 026
  wake-from-suspend panic). linux-lts lags by weeks/months and is
  almost always known-good when hardened breaks.
- Drop etc/mkinitcpio.d/linux.preset, add linux-lts.preset.
  Hardened preset header + bootstrap.sh efibootmgr instructions
  updated accordingly (hardened registered first so it's the
  default; lts registered as the on-demand fallback).
- Also add mkinitcpio-firmware (AUR) to silence the spurious
  'missing firmware' warnings during initramfs builds.

Manual host-side steps after deploy:
  paru -S linux-lts linux-lts-headers mkinitcpio-firmware
  sudo pacman -Rsn linux  # or via 'just pkg-apply' undeclared flow
  sudo rm -f /etc/mkinitcpio.d/linux.preset  # chezmoi-deployed, not pkg-owned
  sudo mkinitcpio -P
  sudo efibootmgr  # add the Arch LTS entries, drop the stock linux ones

Note: meta/nvidia.txt still lists 'linux-headers' for nvidia-dkms.
That's a per-host concern; flagged for follow-up if any nvidia host
moves to the linux-lts world.
---
 bootstrap.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'bootstrap.sh')

diff --git a/bootstrap.sh b/bootstrap.sh
index afa4909..2f35f9d 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -125,20 +125,20 @@ if [ -d /sys/firmware/efi ]; then
   if ! sudo efibootmgr 2>/dev/null | grep -iq arch; then
     warn 'no Arch Linux EFI boot entry found'
     warn 'after first kernel install, run: sudo mkinitcpio -P'
-    warn 'then register the UKI with efibootmgr, for example:'
+    warn 'then register the UKIs with efibootmgr (hardened first so it'\''s the default):'
     # shellcheck disable=SC1003 # backslash is literal text shown to the user
     warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
-    warn "      --label 'Arch UKI' --loader '\\EFI\\Linux\\arch-linux.efi'"
+    warn "      --label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi'"
     # shellcheck disable=SC1003
     warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
-    warn "      --label 'Arch UKI Fallback' --loader '\\EFI\\Linux\\arch-linux-fallback.efi'"
-    warn 'optionally, also register the linux-hardened UKIs (opt-in boot):'
+    warn "      --label 'Arch Hardened Fallback' --loader '\\EFI\\Linux\\arch-linux-hardened-fallback.efi'"
+    warn 'and the linux-lts fallback kernel UKIs:'
     # shellcheck disable=SC1003
     warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
-    warn "      --label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi'"
+    warn "      --label 'Arch LTS' --loader '\\EFI\\Linux\\arch-linux-lts.efi'"
     # shellcheck disable=SC1003
     warn '  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \'
-    warn "      --label 'Arch Hardened Fallback' --loader '\\EFI\\Linux\\arch-linux-hardened-fallback.efi'"
+    warn "      --label 'Arch LTS Fallback' --loader '\\EFI\\Linux\\arch-linux-lts-fallback.efi'"
   fi
 fi
 
-- 
cgit v1.3.1