Bareboot

08 Apr, 2026

Typical Arch Setup

Bootloader: GRUB / systemd-boot
Initramfs Generator: mkinitcpio
ESP mount point: /boot or /boot/efi
Partition type: ESP
Filesystem type: FAT32

My Setup

Bootloader: systemd-boot
Initramfs Generator: mkosi-initrd
ESP mount point: /efi
Partition type: ESP
Filesystem type: FAT32

How-to

Do not install GRUB.
Install systemd-ukify, mkosi, etc.
Create /etc/mkosi-initrd/mkosi.conf with:

[Content]

Packages=
    systemd
    plymouth
    amd-ucode
    linux-firmware-amdgpu
    nvidia-open
    cryptsetup
    tpm2-tools
    xfsprogs

RemoveFiles=
    /usr/lib/systemd/catalog
    /etc/udev/hwdb.d
    /usr/lib/udev/hwdb.d
    /etc/services
    /usr/lib/modules/*/vmlinuz*
    /var/cache
    /var/log

WithDocs=no
CleanPackageMetadata=yes

KernelCommandLine=
    rd.luks.name=f47ac10b-58cc-4372-a567-0e02b2c3d479=root
    rootfstype=xfs
    rw
    splash
    quiet
    loglevel=0
    efi=disable_early_pci_dma
    amd_iommu=on
    iommu=force
    iommu.passthrough=0
    iommu.strict=1
    init_on_free=1
    slab_nomerge
    page_alloc.shuffle=1
    pti=on
    hash_pointers=always
    randomize_kstack_offset=on
    hardened_usercopy=1
    mitigations=auto,nosmt
    tsx=off
    vsyscall=none
    ia32_emulation=0
    cfi=kcfi
    debugfs=off
    bdev_allow_write_mounted=0
    proc_mem.force_override=never
    amdgpu.gpu_recovery=1
    oops=panic
    lsm=landlock,lockdown,yama,integrity,apparmor,bpf,capability

KernelInitrdModules=
    nvme
    amdgpu
    nvidia
    nvidia_modeset
    nvidia_uvm
    nvidia_drm
    i8042
    atkbd
    evdev
    vfat
    xfs
    dm_crypt
    dm_integrity
    ccp
    tpm_crb
    zram
    crypto/
    -sound/
    -net/
    -drivers/net/wireless/

Locale=en_US.UTF-8
MakeInitrd=yes

Create /etc/kernel/install.conf with:

initrd_generator=mkosi-initrd
uki_generator=mkosi
layout=uki

The initramfs generator is a Linux kernel dependency. As of writing this, mkosi-initrd is not one of the expected dependencies; only booster, dracut, and mkinitcpio are. So it is not possible to uninstall mkinitcpio. To silence mkinitcpio:
```
# ln -sf /dev/null /usr/share/libalpm/hooks/60-mkinitcpio-remove.hook
# ln -sf /dev/null /usr/share/libalpm/hooks/90-mkinitcpio-install.hook
```
Remove everything except amd-ucode.img in /boot.
First, run rm -rf /efi/* to remove old files, then run bootctl install, and finally kernel-install add-all.
To automatically do this after a kernel or module update, add the following to /etc/pacman.d/hooks/60-kernel-install-remove.hook:

[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Operation = Remove
Target = linux

[Trigger]
Type = Package
Operation = Remove
Target = mkosi

[Action]
Description = Removing UKI...
When = PreTransaction
Exec = /usr/bin/bash -c "rm -rf /efi/EFI/Linux/*"
NeedsTargets

And add the following to /etc/pacman.d/hooks/90-kernel-install-add.hook:

[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Operation = Remove
Target = systemd
Target = plymouth
Target = amd-ucode
Target = linux-firmware-amdgpu
Target = nvidia-open
Target = cryptsetup
Target = tpm2-tools
Target = xfsprogs
Target = linux

[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Target = mkosi

[Action]
Description = Updating UKI...
When = PostTransaction
Exec = /usr/bin/kernel-install add-all
NeedsTargets

That's it, enjoy your UKI system. Secure Boot is also easier after this, but I just didn't bother to do it xD