Appendix: System Internals

System Internals

Deep-dive reference into the P16g’s boot process, disk layout, initramfs generation, kernel parameters, and security stack. This appendix serves as both a deployment record and a learning resource for kernel development.

Boot Chain

The P16g boots through 8 stages from UEFI firmware to the Hyprland desktop. Every stage is documented below with the actual configuration from this machine.

Disk & Partition Layout

4-partition NVMe scheme with dual LUKS encryption and btrfs subvolumes. Root and home are on separate LUKS volumes — independent encryption keys, independent snapshots.

fstab Mount Options

Option Purpose

Option	Purpose
`rw,noatime`	Read-write, no access time updates (SSD performance)
`compress=zstd:3`	Transparent zstd compression level 3 (~30% savings on text)
`ssd`	SSD-optimized allocation
`discard=async`	Background TRIM (batched, not per-delete)
`space_cache=v2`	Free space tree (faster allocation)
`subvol=/@`	Mount specific btrfs subvolume

rw,noatime

Read-write, no access time updates (SSD performance)

compress=zstd:3

Transparent zstd compression level 3 (~30% savings on text)

ssd

SSD-optimized allocation

discard=async

Background TRIM (batched, not per-delete)

space_cache=v2

Free space tree (faster allocation)

subvol=/@

Mount specific btrfs subvolume

ESP Layout

The EFI System Partition holds kernels, default initramfs, microcode, and systemd-boot. Fallback initramfs images live on /boot (ext4) because they’re too large for the FAT32 ESP.

Why Two Kernels?

Kernel Purpose

Kernel	Purpose
`linux` (6.19.10)	Mainline — latest features, GPU drivers, daily driver
`linux-lts` (6.18.20)	LTS — stability fallback if mainline breaks after update

linux (6.19.10)

Mainline — latest features, GPU drivers, daily driver

linux-lts (6.18.20)

LTS — stability fallback if mainline breaks after update

If a pacman -Syu delivers a broken mainline kernel, reboot into the LTS entry from systemd-boot menu (press l during 3-second timeout).

Pacman Hook: ESP Kernel Sync

Kernels and initramfs are generated on /boot (ext4) but also copied to /boot/efi (ESP) via a pacman hook. This ensures systemd-boot can load them from the ESP.

mkinitcpio Hooks Pipeline

The initramfs is built by mkinitcpio running 13 hooks in order. Each hook adds specific modules, binaries, or scripts to the early boot environment.

Hook Reference

Hook What It Adds Why This Machine Needs It

Hook	What It Adds	Why This Machine Needs It
`base`	busybox, init script, basic filesystem tools	Always required — foundation of early userspace
`udev`	systemd-udev device manager	Hardware detection and `/dev` population
`autodetect`	Nothing — FILTERS modules to this hardware only	Reduces initramfs from 198MB to 137MB. Skipped in fallback.
`modconf`	Files from `/etc/modprobe.d/`	Custom module parameters (NVIDIA, blacklists)
`kms`	GPU DRM drivers (nvidia, i915)	Early display before root mount — shows LUKS prompt
`keyboard`	USB HID, PS/2 keyboard drivers	Type LUKS passphrase — without this, no keyboard at boot
`keymap`	Keymap from `/etc/vconsole.conf`	Correct keyboard layout for passphrase entry
`consolefont`	Console font from vconsole.conf	⚠️ WARNING: no font configured — cosmetic only
`block`	Block device drivers (NVMe, SATA, USB storage)	Access the NVMe drive containing LUKS volumes
`encrypt`	dm-crypt, cryptsetup	CRITICAL: Unlock LUKS encrypted root (`cryptdevice=UUID=…`)
`btrfs`	btrfs module, btrfs-progs tools	CRITICAL: Mount btrfs subvolumes (`subvol=@`)
`filesystems`	ext4, vfat, xfs modules	Support for `/boot` (ext4) and ESP (vfat)
`fsck`	Filesystem check tools	Integrity verification before mount

base

busybox, init script, basic filesystem tools

Always required — foundation of early userspace

udev

systemd-udev device manager

Hardware detection and /dev population

autodetect

Nothing — FILTERS modules to this hardware only

Reduces initramfs from 198MB to 137MB. Skipped in fallback.

modconf

Files from /etc/modprobe.d/

Custom module parameters (NVIDIA, blacklists)

kms

GPU DRM drivers (nvidia, i915)

Early display before root mount — shows LUKS prompt

keyboard

USB HID, PS/2 keyboard drivers

Type LUKS passphrase — without this, no keyboard at boot

keymap

Keymap from /etc/vconsole.conf

Correct keyboard layout for passphrase entry

consolefont

Console font from vconsole.conf

⚠️ WARNING: no font configured — cosmetic only

block

Block device drivers (NVMe, SATA, USB storage)

Access the NVMe drive containing LUKS volumes

encrypt

dm-crypt, cryptsetup

CRITICAL: Unlock LUKS encrypted root (cryptdevice=UUID=…)

btrfs

btrfs module, btrfs-progs tools

CRITICAL: Mount btrfs subvolumes (subvol=@)

filesystems

ext4, vfat, xfs modules

Support for /boot (ext4) and ESP (vfat)

fsck

Filesystem check tools

Integrity verification before mount

Default vs Fallback Initramfs

Firmware Warnings Explained

Warnings during fallback build are for hardware NOT present in the P16g — safe to ignore:

Firmware What It’s For

Firmware	What It’s For
`qat_6xxx`	Intel QuickAssist crypto accelerator (server/enterprise)
`ast`	Aspeed BMC video controller (server baseboard management)
`xhci_pci_renesas`	Renesas USB 3.0 controller (specific USB cards)
`aic94xx`	Adaptec SAS host bus adapter (server storage)
`bfa`	Brocade Fibre Channel adapter (SAN storage)
`qed` / `qla1280` / `qla2xxx`	QLogic Ethernet/SCSI/Fibre Channel (server NICs)
`wd719x`	Western Digital SCSI controller (legacy server)

qat_6xxx

Intel QuickAssist crypto accelerator (server/enterprise)

ast

Aspeed BMC video controller (server baseboard management)

xhci_pci_renesas

Renesas USB 3.0 controller (specific USB cards)

aic94xx

Adaptec SAS host bus adapter (server storage)

bfa

Brocade Fibre Channel adapter (SAN storage)

qed / qla1280 / qla2xxx

QLogic Ethernet/SCSI/Fibre Channel (server NICs)

wd719x

Western Digital SCSI controller (legacy server)

These warnings appear in fallback because autodetect is skipped — ALL modules are included, including ones for hardware you don’t have.

Kernel Boot Parameters

Every parameter in /proc/cmdline annotated:

Parameter Purpose

Parameter	Purpose
`cryptdevice=UUID=a33c…:cryptroot`	Tell the `encrypt` hook which LUKS partition to unlock and what to name the mapper device
`root=/dev/mapper/cryptroot`	Root filesystem location (after LUKS unlock)
`rootflags=subvol=@`	Mount btrfs subvolume `@` as root (not the entire btrfs volume)
`rw`	Mount root read-write immediately (skip read-only → remount-rw cycle)
`nvidia_drm.modeset=1`	Enable NVIDIA DRM kernel mode setting — required for Wayland/Hyprland
`mem_sleep_default=s2idle`	Intel modern standby (suspend-to-idle) — faster wake than S3
`acpi_mask_gpe=0x6E`	Mask ACPI General Purpose Event 0x6E — ThinkPad P16g interrupt storm fix. Without this, CPU sits at 100% handling phantom ACPI events.
`lsm=landlock,lockdown,yama,integrity,apparmor,bpf`	Linux Security Module load order (see LSM Stack below)
`apparmor=1 security=apparmor`	Enable AppArmor as the primary MAC framework

cryptdevice=UUID=a33c…:cryptroot

Tell the encrypt hook which LUKS partition to unlock and what to name the mapper device

root=/dev/mapper/cryptroot

Root filesystem location (after LUKS unlock)

rootflags=subvol=@

Mount btrfs subvolume @ as root (not the entire btrfs volume)

rw

Mount root read-write immediately (skip read-only → remount-rw cycle)

nvidia_drm.modeset=1

Enable NVIDIA DRM kernel mode setting — required for Wayland/Hyprland

mem_sleep_default=s2idle

Intel modern standby (suspend-to-idle) — faster wake than S3

acpi_mask_gpe=0x6E

Mask ACPI General Purpose Event 0x6E — ThinkPad P16g interrupt storm fix. Without this, CPU sits at 100% handling phantom ACPI events.

lsm=landlock,lockdown,yama,integrity,apparmor,bpf

Linux Security Module load order (see LSM Stack below)

apparmor=1 security=apparmor

Enable AppArmor as the primary MAC framework

LSM Security Stack

Btrfs Subvolume Layout

Kernel Module Categories

Categorization of loaded kernel modules by function. Graphviz is used here because module dependency graphs are directed acyclic graphs (DAGs) — Graphviz handles these better than D2.

Generate SVG with: dot -Tsvg kernel-module-categories.graphviz -o kernel-module-categories.svg

Module Categories

Category	Modules	Purpose
Bluetooth	rfcomm, bnep, cmac	RFCOMM serial protocol, Bluetooth networking, BT crypto
Networking	ip_tables, nf_conntrack, nf_nat, bridge, veth, x_tables	iptables/netfilter firewall, connection tracking, NAT, Docker networking
Cryptography	af_alg, algif_hash, algif_skcipher, ccm	Kernel crypto API sockets, hash/cipher interfaces, AES-CCM
Audio	snd_seq, snd_hrtimer, snd_seq_dummy, snd_seq_device	ALSA sequencer subsystem (PipeWire uses ALSA underneath)
Containers	xt_MASQUERADE, xt_nat, xt_conntrack, iptable_nat	Docker network isolation — NAT + masquerade for container traffic

mkinitcpio Configuration

/etc/mkinitcpio.conf — active hooks line

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt btrfs filesystems fsck)

/etc/mkinitcpio.d/linux.preset

ALL_kver="/boot/vmlinuz-linux"
PRESETS=('default' 'fallback')
default_image="/boot/initramfs-linux.img"
fallback_image="/boot/initramfs-linux-fallback.img"
fallback_options="-S autodetect"

The -S autodetect in fallback options means "skip the autodetect hook" — include ALL modules for maximum hardware compatibility.

systemd-boot Configuration

/boot/efi/loader/loader.conf

default arch.conf
timeout 3
console-mode max
editor no

editor no is a security measure — prevents anyone from editing kernel command line parameters at the boot menu (which could bypass LUKS or disable security modules).

Quick Reference Commands

Task Command

Task	Command
View boot chain live	`systemd-analyze`
Boot time breakdown	`systemd-analyze blame \| head -20`
Critical chain	`systemd-analyze critical-chain`
Current kernel params	`cat /proc/cmdline`
Loaded modules	`lsmod \| wc -l`
Module info	`modinfo <module>`
Module dependencies	`modprobe --show-depends <module>`
Rebuild initramfs	`sudo mkinitcpio -P` (all presets)
Rebuild single	`sudo mkinitcpio -p linux`
Disk layout	`lsblk -f`
Btrfs subvolumes	`sudo btrfs subvolume list /`
ESP contents	`ls -lh /boot/efi/`
Boot entries	`bootctl list`
AppArmor status	`sudo aa-status \| head -5`
LSM stack	`cat /sys/kernel/security/lsm`

View boot chain live

systemd-analyze

Boot time breakdown

systemd-analyze blame | head -20

Critical chain

systemd-analyze critical-chain

Current kernel params

cat /proc/cmdline

Loaded modules

lsmod | wc -l

Module info

modinfo <module>

Module dependencies

modprobe --show-depends <module>

Rebuild initramfs

sudo mkinitcpio -P (all presets)

Rebuild single

sudo mkinitcpio -p linux

Disk layout

lsblk -f

Btrfs subvolumes

sudo btrfs subvolume list /

ESP contents

ls -lh /boot/efi/

Boot entries

bootctl list

AppArmor status

sudo aa-status | head -5

LSM stack

cat /sys/kernel/security/lsm