blob: 332b7e53d2dbe2eb00f2b901bd34cb2fce1bb6bf (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
# mkinitcpio preset for the 'linux-hardened' kernel — the PRIMARY boot
# kernel on this host. Produces a UKI at
# /boot/EFI/Linux/arch-linux-hardened.efi alongside the linux-lts UKI
# (linux-lts is the fallback kernel for the rare case where a hardened
# upgrade breaks; see linux-lts.preset). Uses its own cmdline file
# (etc/kernel/cmdline-linux-hardened.tmpl) to force
# `mem_sleep_default=s2idle`: this hardware's S3 firmware path wakes
# reliably on the mainline/lts kernel but hard-hangs the hardened
# kernel (INIT_ON_FREE + slab hardening turn a latent driver race
# fatal). linux-lts keeps the minimal etc/kernel/cmdline.tmpl.
#
# Register the EFI entries (hardened first so it's the default boot):
#
# sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
# --label 'Arch Hardened' --loader '\EFI\Linux\arch-linux-hardened.efi'
# sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
# --label 'Arch LTS' --loader '\EFI\Linux\arch-linux-lts.efi'
#
# Boot LTS on demand via: sudo efibootmgr --bootnext XXXX && systemctl reboot
#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux-hardened"
ALL_cmdline="/etc/kernel/cmdline-linux-hardened"
PRESETS=('default' 'fallback')
default_uki="/boot/EFI/Linux/arch-linux-hardened.efi"
fallback_uki="/boot/EFI/Linux/arch-linux-hardened-fallback.efi"
fallback_options="-S autodetect"
|
