From 8ebe3f106e53dc4032428a2e3435c4feea969087 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Fri, 29 May 2026 11:18:12 +0100
Subject: feat(boot): add linux-hardened as parallel UKI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Installs linux-hardened + linux-hardened-headers alongside the stock
linux kernel. Stock kernel remains the default; linux-hardened is opt-in
via efibootmgr --bootnext after the EFI entry is registered (one-time
host-side step, documented in the preset).

After first 'just pkg-apply', mkinitcpio auto-builds
/boot/EFI/Linux/arch-linux-hardened.efi from the new preset (sharing
etc/kernel/cmdline.tmpl with the stock UKI — same LUKS root, no
kernel-specific cmdline knobs).

Host-side EFI entry registration:

  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
    --label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi'

Roll back any time by removing both packages and the preset file; the
stock kernel and its UKI are untouched.
---
 etc/mkinitcpio.d/linux-hardened.preset | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 etc/mkinitcpio.d/linux-hardened.preset

(limited to 'etc/mkinitcpio.d/linux-hardened.preset')

diff --git a/etc/mkinitcpio.d/linux-hardened.preset b/etc/mkinitcpio.d/linux-hardened.preset
new file mode 100644
index 0000000..92da91c
--- /dev/null
+++ b/etc/mkinitcpio.d/linux-hardened.preset
@@ -0,0 +1,19 @@
+# mkinitcpio preset for the 'linux-hardened' kernel. Produces a UKI at
+# /boot/EFI/Linux/arch-linux-hardened.efi alongside the stock linux UKI.
+# Shares etc/kernel/cmdline.tmpl (same LUKS root, no kernel-specific
+# cmdline knobs). Register the EFI entry once with efibootmgr:
+#
+#   sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
+#     --label 'Arch Hardened' --loader '\EFI\Linux\arch-linux-hardened.efi'
+#
+# Boot it on demand via:  sudo efibootmgr --bootnext XXXX && systemctl reboot
+
+#ALL_config="/etc/mkinitcpio.conf"
+ALL_kver="/boot/vmlinuz-linux-hardened"
+
+PRESETS=('default' 'fallback')
+
+default_uki="/boot/EFI/Linux/arch-linux-hardened.efi"
+
+fallback_uki="/boot/EFI/Linux/arch-linux-hardened-fallback.efi"
+fallback_options="-S autodetect"
-- 
cgit v1.3.1