From a6f1e9026e5d19b50c7c522e30e6f216fc9f8180 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Fri, 29 May 2026 11:18:16 +0100 Subject: feat(kernel): swap stock linux for linux-lts as fallback kernel Promotes linux-hardened to the sole primary kernel and replaces linux with linux-lts as the safety-net fallback. Rationale: - linux and linux-hardened track the same upstream major version and ship within days of each other, so 'linux' was a poor fallback for the regression class that historically takes out the hardened kernel on this hardware (e.g. checkpoint 026 wake-from-suspend panic). linux-lts lags by weeks/months and is almost always known-good when hardened breaks. - Drop etc/mkinitcpio.d/linux.preset, add linux-lts.preset. Hardened preset header + bootstrap.sh efibootmgr instructions updated accordingly (hardened registered first so it's the default; lts registered as the on-demand fallback). - Also add mkinitcpio-firmware (AUR) to silence the spurious 'missing firmware' warnings during initramfs builds. Manual host-side steps after deploy: paru -S linux-lts linux-lts-headers mkinitcpio-firmware sudo pacman -Rsn linux # or via 'just pkg-apply' undeclared flow sudo rm -f /etc/mkinitcpio.d/linux.preset # chezmoi-deployed, not pkg-owned sudo mkinitcpio -P sudo efibootmgr # add the Arch LTS entries, drop the stock linux ones Note: meta/nvidia.txt still lists 'linux-headers' for nvidia-dkms. That's a per-host concern; flagged for follow-up if any nvidia host moves to the linux-lts world. --- etc/mkinitcpio.d/linux-hardened.preset | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'etc/mkinitcpio.d/linux-hardened.preset') diff --git a/etc/mkinitcpio.d/linux-hardened.preset b/etc/mkinitcpio.d/linux-hardened.preset index fcb94a5..332b7e5 100644 --- a/etc/mkinitcpio.d/linux-hardened.preset +++ b/etc/mkinitcpio.d/linux-hardened.preset @@ -1,16 +1,22 @@ -# mkinitcpio preset for the 'linux-hardened' kernel. Produces a UKI at -# /boot/EFI/Linux/arch-linux-hardened.efi alongside the stock linux UKI. -# Uses its own cmdline file (etc/kernel/cmdline-linux-hardened.tmpl) to -# force `mem_sleep_default=s2idle`: this hardware's S3 firmware path -# wakes reliably on stock linux but hard-hangs the hardened kernel -# (INIT_ON_FREE + slab hardening turn a latent driver race fatal). -# Stock linux keeps the minimal etc/kernel/cmdline.tmpl. Register the -# EFI entry once with efibootmgr: +# mkinitcpio preset for the 'linux-hardened' kernel — the PRIMARY boot +# kernel on this host. Produces a UKI at +# /boot/EFI/Linux/arch-linux-hardened.efi alongside the linux-lts UKI +# (linux-lts is the fallback kernel for the rare case where a hardened +# upgrade breaks; see linux-lts.preset). Uses its own cmdline file +# (etc/kernel/cmdline-linux-hardened.tmpl) to force +# `mem_sleep_default=s2idle`: this hardware's S3 firmware path wakes +# reliably on the mainline/lts kernel but hard-hangs the hardened +# kernel (INIT_ON_FREE + slab hardening turn a latent driver race +# fatal). linux-lts keeps the minimal etc/kernel/cmdline.tmpl. +# +# Register the EFI entries (hardened first so it's the default boot): # # sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \ # --label 'Arch Hardened' --loader '\EFI\Linux\arch-linux-hardened.efi' +# sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \ +# --label 'Arch LTS' --loader '\EFI\Linux\arch-linux-lts.efi' # -# Boot it on demand via: sudo efibootmgr --bootnext XXXX && systemctl reboot +# Boot LTS on demand via: sudo efibootmgr --bootnext XXXX && systemctl reboot #ALL_config="/etc/mkinitcpio.conf" ALL_kver="/boot/vmlinuz-linux-hardened" -- cgit v1.3.1