diff --git a/README.md b/README.md
index 70d60c5..43677cd 100644
--- a/README.md
+++ b/README.md
@@ -242,6 +242,11 @@ Kernel space:
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
   risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
+- Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
+  upon using out of specification hardware, bad page states, ACPI tables being overridden,
+  severe firmware bugs, in-kernel tests run, or mutating debug operations. It can also
+  include the loading of proprietary or out-of-tree modules.
+
 - Prevent sensitive kernel information leaks in the console during boot.
 
 - Enable the kernel Electric-Fence sampling-based memory safety error detector
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index ad4169a..e10ea17 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -163,6 +163,29 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
 
+## Force the kernel to immediately panic if it becomes tainted.
+## Using kernel documentation can select a subset of taints to create a security policy.
+## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask.
+## Some example combinations are shown below.
+## S - Panic on using out of specification hardware: 4 = 0x4.
+## B - On the above and bad page faults or some unexpected page flags: 36 = 0x24.
+## A - On the above and ACPI tables are overridden by users: 292 = 0x124.
+## I - On the above and severe firmware bugs: 2340 = 0x924.
+## N - On the above and in-kernel tests have been run: 264484 = 0x40924.
+## J - On the above and userspace has used a mutating debug operation: 788772 = 0xC0924.
+## G/P, O - On the above and the loading of proprietary or out-of-tree modules: 792869 = 0xC1925.
+## All must first be tested to ensure there are no pre-existing issues on user hardware.
+## After confirming stability this enforces strict user-defined kernel operation and security at runtime.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
+## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US
+## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/
+## https://github.com/Kicksecure/security-misc/pull/339
+##
+## Note that this must be used with panic=-1 for it to function as intended.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0xC0924
+
 ## Prevent sensitive kernel information leaks in the console during boot.
 ## Must be used in combination with the kernel.printk sysctl.
 ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.