Mkinitcpio

https://wiki.archlinux.org/title/Universal_2nd_Factor#Data-at-rest_encryption_with_LUKS
“Since version 248, systemd can be use to unlock a LUKS partition using a FIDO2 key.”

For the current setup, this is what I have. Here it needs to ensure that the modules listed there are really necessary. Also the busybox hooks are completely removed and it depends only on systemd’s ones.

# vim:set ft=sh

MODULES="usbhid xhci_hcd i915"

BINARIES=()

FILES=""

HOOKS="systemd autodetect block keyboard sd-vconsole sd-encrypt filesystems fsck"

Here I created another preset at /etc/mkinitcpio.d/linux.preset to test the changes without loosing access to a working system. This is it:

ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/efi/<machine-id>/$(pacman -Q linux | awk '{print $2}')-MANJARO/linux"
ALL_microcode=(/efi/<machine-id>/$(pacman -Q linux | awk '{print $2}')-MANJARO/intel-ucode.img)

PRESETS=(default fallback)

default_uki="/efi/<machine-id>/Linux/linux.efi"
default_options=""
fallback_uki="/efi/<machine-id>/Linux/fallback.efi"
fallback_options="-S autodetect"

(re)build it with mkinitcpio -p linux. Or rebuild them all with mkinitcpio -P.