diff --git a/WORKSPACE b/WORKSPACE
index ac7e314..7abd0c6 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -94,9 +94,23 @@
 
 linux_kernel_version = "4.19.72"
 
+# If we don't do this we're double-building Linux, once for the toolchain and once for the target
+make_gen_init_cpio_available = """
+load("@rules_cc//cc:defs.bzl", "cc_binary")
+cc_binary(name = "gen_init_cpio", srcs = ["usr/gen_init_cpio.c"], visibility = ["//visibility:public"])
+"""
+
 http_archive(
     name = "linux_kernel",
-    build_file_content = all_content,
+    build_file_content = all_content + "\n" + make_gen_init_cpio_available,
+    patch_args = ["-p1"],
+    patches = [
+        # Fix is in mainline, but upstream hasn't backported it to 4.19.
+        # Will go away when we switch to 5.4 LTS
+        "@//core/build/linux_kernel:kbuild-add--fcf-protection-none-to-retpoline-flags.patch",
+        # Enable built-in cmdline for efistub
+        "@//core/build/linux_kernel:0001-x86-Allow-built-in-command-line-to-work-in-early-ker.patch",
+    ],
     sha256 = "f9fcb6b3bd29115ac55fc154e300c3dce2044502732f6842ad6c25e6f9f51f6d",
     strip_prefix = "linux-" + linux_kernel_version,
     urls = ["https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-%s.tar.xz" % linux_kernel_version],
@@ -161,7 +175,7 @@
     name = "kubernetes",
     patch_args = ["-p1"],
     patches = [
-        "@//core/build/kubernetes:0001-avoid-unexpected-keyword-error-by-using-positional-p.patch"
+        "@//core/build/kubernetes:0001-avoid-unexpected-keyword-error-by-using-positional-p.patch",
     ],
     sha256 = "21d884b67abd1182958313474a40678ba8f3713e6b6f520401e42c02ba6ea302",
     urls = ["https://dl.k8s.io/v%s/kubernetes-src.tar.gz" % k8s_version],
@@ -174,4 +188,4 @@
     sha256 = "f6d65480241ec0fd7a0d01f432938b97d7395aeb8eefbe859bb877c9b4eafa56",
     strip_prefix = "repo-infra-9f4571ad7242bf3ec4b47365062498c2528f9a5f",
     urls = mirror("https://github.com/kubernetes/repo-infra/archive/9f4571ad7242bf3ec4b47365062498c2528f9a5f.tar.gz"),
-)
\ No newline at end of file
+)
diff --git a/core/BUILD b/core/BUILD
index d9ed017..edced0a 100644
--- a/core/BUILD
+++ b/core/BUILD
@@ -1,15 +1,18 @@
 genrule(
     name = "image",
     srcs = [
-        "@//core/cmd/mkimage",
-        "@//core/build/linux_kernel:image",
+        "@//core/build/linux_kernel:bzImage",
+        "@//core/build/linux_kernel:initramfs",
     ],
     outs = [
         "smalltown.img",
     ],
     cmd = """
-    $(location @//core/cmd/mkimage) $(location @//core/build/linux_kernel:image) $@
+    $(location @//core/cmd/mkimage) $(location @//core/build/linux_kernel:bzImage) $@ $(location @//core/build/linux_kernel:initramfs)
     """,
+    tools = [
+        "@//core/cmd/mkimage",
+    ],
     visibility = ["//visibility:public"],
 )
 
diff --git a/core/build/linux_kernel/0001-x86-Allow-built-in-command-line-to-work-in-early-ker.patch b/core/build/linux_kernel/0001-x86-Allow-built-in-command-line-to-work-in-early-ker.patch
new file mode 100644
index 0000000..69f0a3d
--- /dev/null
+++ b/core/build/linux_kernel/0001-x86-Allow-built-in-command-line-to-work-in-early-ker.patch
@@ -0,0 +1,402 @@
+Copyright 2020 The Monogon Project Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+From 73025c3f822aa19077abe4ece53b03b211faaf52 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Thu, 9 Apr 2015 13:25:00 -0700
+Subject: [PATCH 1/2] x86: Allow built-in command line to work in early kernel
+ init
+
+The kernel supports having a command line built into it. Unfortunately this
+doesn't work in all cases - the built-in command line is only appended
+after we've jumped to the kernel proper, but various parts of the early
+boot process also pay attention to the command line.
+
+This patch moves the command line override code from the kernel itself to
+the early init code. Unfortunately the kernel can be executed by jumping
+to the 16-bit entry point, the UEFI entry point, directly to the 32-bit
+entry point or even to the entry point of the uncompressed image, and
+there is no guarantee that any of these will have access to data held in
+the others. As a result, four copies of the command line will be embedded
+in the kernel.
+
+This patch also defines a new field in boot_params in order to allow the
+earlier entry points to inform the generic setup code that the command line
+has already been appended and so shouldn't be added once more.
+
+Updated for Linux 4.19 by Lorenz Brun <lorenz@nexantic.com>
+
+Signed-off-by: Matthew Garrett <mjg59@coreos.com>
+---
+ Documentation/x86/zero-page.txt               |  1 +
+ arch/x86/boot/boot.h                          | 10 ++++
+ arch/x86/boot/cmdline.c                       | 37 ++++++++++++++
+ arch/x86/boot/compressed/cmdline.c            | 18 ++++++-
+ arch/x86/boot/compressed/eboot.c              |  3 ++
+ arch/x86/boot/compressed/misc.c               |  2 +
+ arch/x86/boot/compressed/misc.h               |  3 +-
+ arch/x86/boot/main.c                          |  3 ++
+ arch/x86/include/uapi/asm/bootparam.h         |  5 +-
+ arch/x86/kernel/setup.c                       | 16 +++---
+ .../firmware/efi/libstub/efi-stub-helper.c    | 50 +++++++++++++++++--
+ 11 files changed, 135 insertions(+), 13 deletions(-)
+
+diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
+index 97b7adbceda4..3d5e3a81b5fa 100644
+--- a/Documentation/x86/zero-page.txt
++++ b/Documentation/x86/zero-page.txt
+@@ -12,6 +12,7 @@ Offset	Proto	Name		Meaning
+ 000/040	ALL	screen_info	Text mode or frame buffer information
+ 				(struct screen_info)
+ 040/014	ALL	apm_bios_info	APM BIOS information (struct apm_bios_info)
++054/004	ALL	setup_flags	Flags passed from early kernel setup
+ 058/008	ALL	tboot_addr      Physical address of tboot shared page
+ 060/010	ALL	ist_info	Intel SpeedStep (IST) BIOS support information
+ 				(struct ist_info)
+diff --git a/arch/x86/boot/boot.h b/arch/x86/boot/boot.h
+index ef5a9cc66fb8..4dcf45570976 100644
+--- a/arch/x86/boot/boot.h
++++ b/arch/x86/boot/boot.h
+@@ -273,6 +273,7 @@ void intcall(u8 int_no, const struct biosregs *ireg, struct biosregs *oreg);
+ /* cmdline.c */
+ int __cmdline_find_option(unsigned long cmdline_ptr, const char *option, char *buffer, int bufsize);
+ int __cmdline_find_option_bool(unsigned long cmdline_ptr, const char *option);
++int __cmdline_init(unsigned long cmdline_ptr, struct boot_params *params);
+ static inline int cmdline_find_option(const char *option, char *buffer, int bufsize)
+ {
+ 	unsigned long cmd_line_ptr = boot_params.hdr.cmd_line_ptr;
+@@ -293,6 +294,15 @@ static inline int cmdline_find_option_bool(const char *option)
+ 	return __cmdline_find_option_bool(cmd_line_ptr, option);
+ }
+ 
++static inline int cmdline_init(void)
++{
++	unsigned long cmd_line_ptr = boot_params.hdr.cmd_line_ptr;
++
++	if (cmd_line_ptr >= 0x100000)
++		return -1;      /* inaccessible */
++
++	return __cmdline_init(cmd_line_ptr, &boot_params);
++}
+ /* cpu.c, cpucheck.c */
+ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr);
+ int check_knl_erratum(void);
+diff --git a/arch/x86/boot/cmdline.c b/arch/x86/boot/cmdline.c
+index 625d21b0cd3f..2273d2797570 100644
+--- a/arch/x86/boot/cmdline.c
++++ b/arch/x86/boot/cmdline.c
+@@ -14,6 +14,10 @@
+ 
+ #include "boot.h"
+ 
++#ifdef CONFIG_CMDLINE_BOOL
++static char builtin_cmdline[] = CONFIG_CMDLINE;
++#endif
++
+ static inline int myisspace(u8 c)
+ {
+ 	return c <= ' ';	/* Close enough approximation */
+@@ -156,3 +160,36 @@ int __cmdline_find_option_bool(unsigned long cmdline_ptr, const char *option)
+ 
+ 	return 0;	/* Buffer overrun */
+ }
++
++int __cmdline_init(unsigned long cmdline_ptr, struct boot_params *params)
++{
++#ifdef CONFIG_CMDLINE_BOOL
++	addr_t cptr;
++	int i = 0;
++
++	if (!cmdline_ptr)
++		return -1;      /* No command line */
++
++	set_fs(cmdline_ptr >> 4);
++	cptr = cmdline_ptr & 0xf;
++
++#ifndef CONFIG_CMDLINE_OVERRIDE
++	while (cptr < 0x10000) {
++		char c = rdfs8(cptr);
++		if (!c) {
++			wrfs8(' ', cptr++);
++			break;
++		}
++		cptr++;
++	}
++#endif /* !CONFIG_CMDLINE_OVERRIDE */
++	while (builtin_cmdline[i] && cptr < 0xffff)
++		wrfs8(builtin_cmdline[i++], cptr++);
++
++	wrfs8('\0', cptr);
++
++	params->setup_flags |= SETUP_CMDLINE_APPENDED;
++#endif /* CONFIG_CMDLINE_BOOL */
++
++	return 0;
++}
+diff --git a/arch/x86/boot/compressed/cmdline.c b/arch/x86/boot/compressed/cmdline.c
+index af6cda0b7900..70fbf01f5f36 100644
+--- a/arch/x86/boot/compressed/cmdline.c
++++ b/arch/x86/boot/compressed/cmdline.c
+@@ -1,7 +1,7 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include "misc.h"
+ 
+-#if CONFIG_EARLY_PRINTK || CONFIG_RANDOMIZE_BASE || CONFIG_X86_5LEVEL
++#if CONFIG_EARLY_PRINTK || CONFIG_RANDOMIZE_BASE || CONFIG_X86_5LEVEL || CONFIG_CMDLINE_BOOL
+ 
+ static unsigned long fs;
+ static inline void set_fs(unsigned long seg)
+@@ -13,6 +13,10 @@ static inline char rdfs8(addr_t addr)
+ {
+ 	return *((char *)(fs + addr));
+ }
++static inline void wrfs8(u8 v, addr_t addr)
++{
++	*((char *)(fs + addr)) = v;
++}
+ #include "../cmdline.c"
+ unsigned long get_cmd_line_ptr(void)
+ {
+@@ -31,4 +35,16 @@ int cmdline_find_option_bool(const char *option)
+ 	return __cmdline_find_option_bool(get_cmd_line_ptr(), option);
+ }
+ 
++int cmdline_init(void)
++{
++	if (!(boot_params->setup_flags & SETUP_CMDLINE_APPENDED))
++		return __cmdline_init(get_cmd_line_ptr(), boot_params);
++	return 0;
++}
++#else
++int cmdline_init(void)
++{
++#error "BAD"
++	return 0;
++}
+ #endif
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 544ac4fafd11..0c8059ace733 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -451,6 +451,9 @@ struct boot_params *make_boot_params(struct efi_config *c)
+ 	/* Fill in upper bits of command line address, NOP on 32 bit  */
+ 	boot_params->ext_cmd_line_ptr = (u64)(unsigned long)cmdline_ptr >> 32;
+ 
++#ifdef CONFIG_CMDLINE_BOOL
++	boot_params->setup_flags |= SETUP_CMDLINE_APPENDED;
++#endif
+ 	hdr->ramdisk_image = 0;
+ 	hdr->ramdisk_size = 0;
+ 
+diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
+index 0387d7a96c84..90af5161dde4 100644
+--- a/arch/x86/boot/compressed/misc.c
++++ b/arch/x86/boot/compressed/misc.c
+@@ -365,6 +365,8 @@ asmlinkage __visible void *extract_kernel(void *rmode, memptr heap,
+ 	lines = boot_params->screen_info.orig_video_lines;
+ 	cols = boot_params->screen_info.orig_video_cols;
+ 
++	cmdline_init();
++
+ 	console_init();
+ 	debug_putstr("early console in extract_kernel\n");
+ 
+diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h
+index 47fd18db6b3b..2e5e1d80ba38 100644
+--- a/arch/x86/boot/compressed/misc.h
++++ b/arch/x86/boot/compressed/misc.h
+@@ -61,10 +61,11 @@ static inline void debug_puthex(const char *s)
+ 
+ #endif
+ 
+-#if CONFIG_EARLY_PRINTK || CONFIG_RANDOMIZE_BASE
++#if CONFIG_EARLY_PRINTK || CONFIG_RANDOMIZE_BASE || CONFIG_CMDLINE_BOOL
+ /* cmdline.c */
+ int cmdline_find_option(const char *option, char *buffer, int bufsize);
+ int cmdline_find_option_bool(const char *option);
++int cmdline_init(void);
+ #endif
+ 
+ 
+diff --git a/arch/x86/boot/main.c b/arch/x86/boot/main.c
+index 9bcea386db65..e3275d57f024 100644
+--- a/arch/x86/boot/main.c
++++ b/arch/x86/boot/main.c
+@@ -137,6 +137,9 @@ void main(void)
+ 	/* First, copy the boot header into the "zeropage" */
+ 	copy_boot_params();
+ 
++	/* Handle built-in command line */
++	cmdline_init();
++
+ 	/* Initialize the early-boot console */
+ 	console_init();
+ 	if (cmdline_find_option_bool("debug"))
+diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
+index a06cbf019744..aee889f5400f 100644
+--- a/arch/x86/include/uapi/asm/bootparam.h
++++ b/arch/x86/include/uapi/asm/bootparam.h
+@@ -30,6 +30,9 @@
+ #define XLF_EFI_HANDOVER_64		(1<<3)
+ #define XLF_EFI_KEXEC			(1<<4)
+ 
++/* setup_flags */
++#define SETUP_CMDLINE_APPENDED		(1<<0)
++
+ #ifndef __ASSEMBLY__
+ 
+ #include <linux/types.h>
+@@ -152,7 +155,7 @@ struct jailhouse_setup_data {
+ struct boot_params {
+ 	struct screen_info screen_info;			/* 0x000 */
+ 	struct apm_bios_info apm_bios_info;		/* 0x040 */
+-	__u8  _pad2[4];					/* 0x054 */
++	__u32 setup_flags;				/* 0x054 */
+ 	__u64  tboot_addr;				/* 0x058 */
+ 	struct ist_info ist_info;			/* 0x060 */
+ 	__u8  _pad3[16];				/* 0x070 */
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index b4866badb235..c6ad8800349b 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -935,16 +935,18 @@ void __init setup_arch(char **cmdline_p)
+ 	bss_resource.end = __pa_symbol(__bss_stop)-1;
+ 
+ #ifdef CONFIG_CMDLINE_BOOL
++	if (!(boot_params.setup_flags & SETUP_CMDLINE_APPENDED)) {
+ #ifdef CONFIG_CMDLINE_OVERRIDE
+-	strlcpy(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);
+-#else
+-	if (builtin_cmdline[0]) {
+-		/* append boot loader cmdline to builtin */
+-		strlcat(builtin_cmdline, " ", COMMAND_LINE_SIZE);
+-		strlcat(builtin_cmdline, boot_command_line, COMMAND_LINE_SIZE);
+ 		strlcpy(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);
+-	}
++#else
++		if (builtin_cmdline[0]) {
++			/* append boot loader cmdline to builtin */
++			strlcat(builtin_cmdline, " ", COMMAND_LINE_SIZE);
++			strlcat(builtin_cmdline, boot_command_line, COMMAND_LINE_SIZE);
++			strlcpy(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);
++		}
+ #endif
++	}
+ #endif
+ 
+ 	strlcpy(command_line, boot_command_line, COMMAND_LINE_SIZE);
+diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
+index 442f51c2a53d..61f65f8ac94f 100644
+--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
+@@ -12,9 +12,14 @@
+ 
+ #include <linux/efi.h>
+ #include <asm/efi.h>
++#include <asm/setup.h>
+ 
+ #include "efistub.h"
+ 
++#ifdef CONFIG_CMDLINE_BOOL
++static char builtin_cmdline[] = CONFIG_CMDLINE;
++#endif
++
+ /*
+  * Some firmware implementations have problems reading files in one go.
+  * A read chunk size of 1MB seems to work for most platforms.
+@@ -806,6 +811,20 @@ static u8 *efi_utf16_to_utf8(u8 *dst, const u16 *src, int n)
+ #ifndef MAX_CMDLINE_ADDRESS
+ #define MAX_CMDLINE_ADDRESS	ULONG_MAX
+ #endif
++static size_t efi_strlcat(char *dest, const char *src, size_t count)
++{
++	size_t dsize = strlen(dest);
++	size_t len = strlen(src);
++	size_t res = dsize + len;
++
++	dest += dsize;
++	count -= dsize;
++	if (len >= count)
++		len = count-1;
++	memcpy(dest, src, len);
++	dest[len] = 0;
++	return res;
++}
+ 
+ /*
+  * Convert the unicode UEFI command line to ASCII to pass to kernel.
+@@ -816,14 +835,16 @@ char *efi_convert_cmdline(efi_system_table_t *sys_table_arg,
+ 			  efi_loaded_image_t *image,
+ 			  int *cmd_line_len)
+ {
++	unsigned long cmdline_addr = 0;
++	int i;
++	efi_status_t status;
++#ifndef CONFIG_CMDLINE_OVERRIDE
+ 	const u16 *s2;
+ 	u8 *s1 = NULL;
+-	unsigned long cmdline_addr = 0;
+ 	int load_options_chars = image->load_options_size / 2; /* UTF-16 */
+ 	const u16 *options = image->load_options;
+ 	int options_bytes = 0;  /* UTF-8 bytes */
+ 	int options_chars = 0;  /* UTF-16 chars */
+-	efi_status_t status;
+ 	u16 zero = 0;
+ 
+ 	if (options) {
+@@ -842,8 +863,14 @@ char *efi_convert_cmdline(efi_system_table_t *sys_table_arg,
+ 
+ 	options_bytes++;	/* NUL termination */
+ 
++	
++#ifdef CONFIG_CMDLINE_BOOL
++	/* Add length of the built-in command line, plus a space */
++	options_bytes += strlen(builtin_cmdline);
++	options_bytes++;
++#endif
+ 	status = efi_high_alloc(sys_table_arg, options_bytes, 0,
+-				&cmdline_addr, MAX_CMDLINE_ADDRESS);
++		&cmdline_addr, MAX_CMDLINE_ADDRESS);
+ 	if (status != EFI_SUCCESS)
+ 		return NULL;
+ 
+@@ -853,7 +880,24 @@ char *efi_convert_cmdline(efi_system_table_t *sys_table_arg,
+ 	s1 = efi_utf16_to_utf8(s1, s2, options_chars);
+ 	*s1 = '\0';
+ 
++#ifdef CONFIG_CMDLINE_BOOL
++	efi_strlcat((char *)cmdline_addr, " ", COMMAND_LINE_SIZE);
++	efi_strlcat((char *)cmdline_addr, builtin_cmdline, COMMAND_LINE_SIZE);
++#endif
+ 	*cmd_line_len = options_bytes;
++#else /* CONFIG_CMDLINE_OVERRIDE */
++	status = efi_high_alloc(sys_table_arg, strlen(builtin_cmdline), 0,
++			       &cmdline_addr, MAX_CMDLINE_ADDRESS);
++	if (status != EFI_SUCCESS)
++		return NULL;
++	while (builtin_cmdline[i] && i < COMMAND_LINE_SIZE) {
++		((char *)cmdline_addr)[i] = builtin_cmdline[i];
++		i++;
++	}
++	((char *)cmdline_addr)[i] = '\0';
++	*cmd_line_len = strlen(builtin_cmdline);
++#endif /* CONFIG_CMDLINE_OVERRIDE */
++
+ 	return (char *)cmdline_addr;
+ }
+ 
+-- 
+2.20.1
+
diff --git a/core/build/linux_kernel/BUILD b/core/build/linux_kernel/BUILD
index e1f9c9b..f95e16f 100644
--- a/core/build/linux_kernel/BUILD
+++ b/core/build/linux_kernel/BUILD
@@ -1,10 +1,7 @@
 genrule(
-    name = "image",
+    name = "kernel",
     srcs = [
         "@linux_kernel//:all",
-        "@//core/cmd/init",
-        "@//core/build/utils",
-        "initramfs.list",
         "linux-smalltown.config",
     ],
     outs = [
@@ -16,9 +13,6 @@
     mkdir $$DIR/.bin
 
     cp $(location linux-smalltown.config) $$DIR/.config
-    cp $(location @//core/cmd/init) $$DIR/.bin/init
-    cp $(locations @//core/build/utils) $$DIR/.bin/
-    cp $(location initramfs.list) $$DIR/initramfs.list
 
     (cd $$DIR && make -j $$(nproc)) >/dev/null
 
@@ -26,3 +20,30 @@
     """,
     visibility = ["//visibility:public"],
 )
+
+genrule(
+    name = "initramfs",
+    srcs = [
+        "@//core/cmd/init",
+        "@//core/build/utils:mkfs.xfs",
+        "@kubernetes//cmd/kube-apiserver",
+    ],
+    outs = [
+        "initramfs.cpio.lz4",
+    ],
+    cmd = """
+    $(location @linux_kernel//:gen_init_cpio) - <<- 'EOF' | lz4 -l > \"$@\" 
+dir /dev 0755 0 0
+nod /dev/console 0600 0 0 c 5 1
+nod /dev/null 0644 0 0 c 1 3
+file /init $(location @//core/cmd/init) 0755 0 0
+dir /bin 0755 0 0
+file /bin/mkfs.xfs $(location @//core/build/utils:mkfs.xfs) 0755 0 0
+file /bin/kube-apiserver $(location @kubernetes//cmd/kube-apiserver) 0755 0 0
+EOF
+    """,
+    tools = [
+        "@linux_kernel//:gen_init_cpio",
+    ],
+    visibility = ["//visibility:public"],
+)
diff --git a/core/build/linux_kernel/initramfs.list b/core/build/linux_kernel/initramfs.list
deleted file mode 100644
index 71fbfea..0000000
--- a/core/build/linux_kernel/initramfs.list
+++ /dev/null
@@ -1,6 +0,0 @@
-dir /dev 0755 0 0
-nod /dev/console 0600 0 0 c 5 1
-nod /dev/null 0644 0 0 c 1 3
-file /init .bin/init 0755 0 0
-dir /bin 0755 0 0
-file /bin/mkfs.xfs .bin/mkfs.xfs 0755 0 0
diff --git a/core/build/linux_kernel/kbuild-add--fcf-protection-none-to-retpoline-flags.patch b/core/build/linux_kernel/kbuild-add--fcf-protection-none-to-retpoline-flags.patch
new file mode 100644
index 0000000..23f8920
--- /dev/null
+++ b/core/build/linux_kernel/kbuild-add--fcf-protection-none-to-retpoline-flags.patch
@@ -0,0 +1,126 @@
+Copyright 2020 The Monogon Project Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+From patchwork Tue Jul  9 18:49:19 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
+X-Patchwork-Id: 11037379
+Return-Path: <linux-kbuild-owner@kernel.org>
+Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
+ [172.30.200.125])
+	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EFE1413A4
+	for <patchwork-linux-kbuild@patchwork.kernel.org>;
+ Tue,  9 Jul 2019 18:49:26 +0000 (UTC)
+Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D0B0528871
+	for <patchwork-linux-kbuild@patchwork.kernel.org>;
+ Tue,  9 Jul 2019 18:49:26 +0000 (UTC)
+Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
+	id C0AE028874; Tue,  9 Jul 2019 18:49:26 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
+	pdx-wl-mail.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
+	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F01228871
+	for <patchwork-linux-kbuild@patchwork.kernel.org>;
+ Tue,  9 Jul 2019 18:49:26 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1727063AbfGIStZ (ORCPT
+        <rfc822;patchwork-linux-kbuild@patchwork.kernel.org>);
+        Tue, 9 Jul 2019 14:49:25 -0400
+Received: from youngberry.canonical.com ([91.189.89.112]:56934 "EHLO
+        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+        with ESMTP id S1726133AbfGIStY (ORCPT
+        <rfc822;linux-kbuild@vger.kernel.org>);
+        Tue, 9 Jul 2019 14:49:24 -0400
+Received: from mail-io1-f69.google.com ([209.85.166.69])
+        by youngberry.canonical.com with esmtps
+ (TLS1.0:RSA_AES_128_CBC_SHA1:16)
+        (Exim 4.76)
+        (envelope-from <seth.forshee@canonical.com>)
+        id 1hkvB4-0006CP-8Q
+        for linux-kbuild@vger.kernel.org; Tue, 09 Jul 2019 18:49:22 +0000
+Received: by mail-io1-f69.google.com with SMTP id f22so24034402ioj.9
+        for <linux-kbuild@vger.kernel.org>;
+ Tue, 09 Jul 2019 11:49:22 -0700 (PDT)
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=1e100.net; s=20161025;
+        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
+         :content-transfer-encoding;
+        bh=PxPSNMyhSc6n3DVu8+8initQj1WYg71cqa7Dt37YRsc=;
+        b=qHbylZ43xDRjDzcyh6+tvI1FHfj4WWHEfu1q+lcIS5ZnHVkD+Kbs8AvvnQbbzxW/NR
+         G5bnmNRaECN8JpHIl04cEI7ac7X80G/RsTvZqaUhHIcipFo9G//4rbS6wNQXfykAT3s5
+         4Hisn0RwUl/P8ih0rv6GpSKQ42sePwKiFDn1OB/IA5yfeRnBdMX/Yz9fa8WZw5WcyKrx
+         QbHW2Sbh4a+KtOUdW4077l90jaFdGYK0jCi2cbxYZaLaUqlGp7sGOdeCkL0kH04J5Xc+
+         OBSB1sPYyMeJnzD9zgEyFrWZhVqRzutyx8+h6ED5lutxRxcUrJZTcN0t92zjaT7PUK3M
+         6+Cw==
+X-Gm-Message-State: APjAAAV4mJS0j+NGxACnw/Q7oaf1hS+0yO8jvXFLrfIEZr2fl43yGiC5
+        iqZe/xI2zc/WW4hGVu4k4R0nB7XEWLM7muvOK/0zpYsskk7IUOTlyEDFjiMgPSrKYhwVIEpUEAr
+        Rt4W8ClWJWmC7rMIlFISjq8AY8E7Vj6mrgybzttx8sg==
+X-Received: by 2002:a02:cc50:: with SMTP id i16mr3728956jaq.50.1562698161275;
+        Tue, 09 Jul 2019 11:49:21 -0700 (PDT)
+X-Google-Smtp-Source: 
+ APXvYqww71No87FKb3rA8fwT+GlZqF9MtRtPIDfWtG04OMqHpUZRPq3+YiRqWPLQiJMSyPtIx7hDRg==
+X-Received: by 2002:a02:cc50:: with SMTP id i16mr3728928jaq.50.1562698160978;
+        Tue, 09 Jul 2019 11:49:20 -0700 (PDT)
+Received: from localhost ([2605:a601:ac2:fb20:b0e0:a018:77ee:9817])
+        by smtp.gmail.com with ESMTPSA id
+ n17sm20052182iog.63.2019.07.09.11.49.20
+        (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
+        Tue, 09 Jul 2019 11:49:20 -0700 (PDT)
+From: Seth Forshee <seth.forshee@canonical.com>
+To: Masahiro Yamada <yamada.masahiro@socionext.com>,
+        Michal Marek <michal.lkml@markovi.net>
+Cc: linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org
+Subject: [PATCH] kbuild: add -fcf-protection=none to retpoline flags
+Date: Tue,  9 Jul 2019 13:49:19 -0500
+Message-Id: <20190709184919.20178-1-seth.forshee@canonical.com>
+X-Mailer: git-send-email 2.20.1
+MIME-Version: 1.0
+Sender: linux-kbuild-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-kbuild.vger.kernel.org>
+X-Mailing-List: linux-kbuild@vger.kernel.org
+X-Virus-Scanned: ClamAV using ClamSMTP
+
+-mindirect-branch and -fcf-protection are not compatible, and
+so kernel builds fail with a gcc build where -fcf-protection is
+enabled by default. Add -fcf-protection=none to the retpoline
+flags to fix this.
+
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+---
+ Makefile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index 3e4868a6498b..050f11d19777 100644
+--- a/Makefile
++++ b/Makefile
+@@ -636,6 +636,10 @@ RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk
+ RETPOLINE_VDSO_CFLAGS_CLANG := -mretpoline
+ RETPOLINE_CFLAGS := $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG)))
+ RETPOLINE_VDSO_CFLAGS := $(call cc-option,$(RETPOLINE_VDSO_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_VDSO_CFLAGS_CLANG)))
++# -mindirect-branch is incompatible with -fcf-protection, so ensure the
++# latter is disabled
++RETPOLINE_CFLAGS += $(call cc-option,-fcf-protection=none,)
++RETPOLINE_VDSO_CFLAGS += $(call cc-option,-fcf-protection=none,)
+ export RETPOLINE_CFLAGS
+ export RETPOLINE_VDSO_CFLAGS
+ 
diff --git a/core/build/linux_kernel/linux-signos.config b/core/build/linux_kernel/linux-signos.config
index cec3ff6..e2fcdf3 100644
--- a/core/build/linux_kernel/linux-signos.config
+++ b/core/build/linux_kernel/linux-signos.config
@@ -118,17 +118,12 @@
 # CONFIG_SYSFS_DEPRECATED is not set
 # CONFIG_RELAY is not set
 CONFIG_BLK_DEV_INITRD=y
-CONFIG_INITRAMFS_SOURCE="initramfs.list"
-CONFIG_INITRAMFS_ROOT_UID=0
-CONFIG_INITRAMFS_ROOT_GID=0
 # CONFIG_RD_GZIP is not set
 # CONFIG_RD_BZIP2 is not set
 # CONFIG_RD_LZMA is not set
 # CONFIG_RD_XZ is not set
 # CONFIG_RD_LZO is not set
-# CONFIG_RD_LZ4 is not set
-CONFIG_INITRAMFS_COMPRESSION_NONE=y
-CONFIG_INITRAMFS_COMPRESSION=""
+CONFIG_RD_LZ4=y
 CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
 CONFIG_SYSCTL=y
@@ -374,7 +369,7 @@
 # CONFIG_LEGACY_VSYSCALL_EMULATE is not set
 CONFIG_LEGACY_VSYSCALL_NONE=y
 CONFIG_CMDLINE_BOOL=y
-CONFIG_CMDLINE="earlyprintk=ttyS0 console=ttyS0"
+CONFIG_CMDLINE="console=ttyS0 initrd=\\EFI\\smalltown\\initramfs.cpio.lz4"
 CONFIG_CMDLINE_OVERRIDE=y
 CONFIG_MODIFY_LDT_SYSCALL=y
 CONFIG_HAVE_LIVEPATCH=y
diff --git a/core/cmd/mkimage/main.go b/core/cmd/mkimage/main.go
index a727e8b..a356ca5 100644
--- a/core/cmd/mkimage/main.go
+++ b/core/cmd/mkimage/main.go
@@ -35,7 +35,7 @@
 
 func main() {
 	if len(os.Args) < 3 {
-		fmt.Println("Usage: mkimage <UEFI payload> <image path>")
+		fmt.Println("Usage: mkimage <UEFI payload> <output image path> <initramfs (optional)>")
 		os.Exit(2)
 	}
 	_ = os.Remove(os.Args[2])
@@ -55,12 +55,12 @@
 				Type:  gpt.EFISystemPartition,
 				Name:  "ESP",
 				Start: mibToSectors(1),
-				End:   mibToSectors(128) - 1,
+				End:   mibToSectors(256) - 1,
 			},
 			{
 				Type:  SmalltownDataPartition,
 				Name:  "SIGNOS-DATA",
-				Start: mibToSectors(128),
+				Start: mibToSectors(256),
 				End:   mibToSectors(2560) - 1,
 			},
 		},
@@ -104,6 +104,28 @@
 		fmt.Printf("Failed to write EFI payload: %v", err)
 		os.Exit(1)
 	}
+	initramfs, err := fs.OpenFile("/EFI/smalltown/initramfs.cpio.lz4", os.O_CREATE|os.O_RDWR)
+	if err != nil {
+		fmt.Printf("Failed to open initramfs for writing: %v", err)
+		os.Exit(1)
+	}
+	// If we have more than two arguments, the second one is the initramfs
+	if len(os.Args) > 3 {
+		initramfsSrc, err := os.Open(os.Args[3])
+		if err != nil {
+			fmt.Printf("Failed to open initramfs for reading: %v", err)
+			os.Exit(1)
+		}
+		initramfsFull, err := ioutil.ReadAll(initramfsSrc)
+		if err != nil {
+			fmt.Printf("Failed to read initramfs: %v", err)
+			os.Exit(1)
+		}
+		if _, err := initramfs.Write(initramfsFull); err != nil {
+			fmt.Printf("Failed to write initramfs: %v", err)
+			os.Exit(1)
+		}
+	}
 	if err := diskImg.File.Close(); err != nil {
 		fmt.Printf("Failed to write image: %v", err)
 		os.Exit(1)