From 68025d3624e7543deec2fbe43ea0f010344e4160 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 19 Nov 2025 01:16:46 +0000
Subject: [PATCH 1/4] Provide option to `panic_on_taint`

---
 README.md                                     |  4 ++++
 ..._kernel_hardening.cfg#security-misc-shared | 20 +++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/README.md b/README.md
index 8c232ae..ff4786f 100644
--- a/README.md
+++ b/README.md
@@ -221,6 +221,10 @@ Kernel space:
 - Force kernel panics on "oopses" to potentially indicate and thwart certain
   kernel exploitation attempts.
 
+- Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
+  upon using out of specification hardware, bad page states, severe firmware bugs, and kernel
+  live patching. Can also include the loading of proprietary, out-of-tree, and unsigned modules.
+
 - Optional - Modify the machine check exception handler.
 
 - Prevent sensitive kernel information leaks in the console during boot.
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 2eef877..3972cef 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -139,6 +139,26 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
 
+## Force the kernel to immediately panic if it becomes tainted.
+## Using kernel documentation can select a subset of taints to create a security policy.
+## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask.
+## Some example combinations are shown below.
+## Panic on using out of specification hardware: 4 = 0x4.
+## Panic on the above and bad page faults or some unexpected page flags: 36 = 0x24.
+## Panic on the above and severe firmware bugs: 2084 = 0x824.
+## Panic on the above and kernel live patching: 34852 = 0x8824.
+## Panic on the above and the loading of proprietary, out-of-tree, or unsigned modules: 47141 = 0xB7C5.
+## All must first be tested to ensure there are no pre-existing issues on user hardware.
+## After confirming stability this enforces strict user-defined kernel operation and security at runtime.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
+## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US
+## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/
+##
+## Note that this must be used with panic=-1 for it to function as intended.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0x8824:
+
 ## Modify machine check exception handler.
 ## Can decide whether the system should panic or not based on the occurrence of an exception.
 ##

From 30068ec8cdaa7a6778f0ba0b423f7ab3c3391759 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 22 Nov 2025 15:01:47 +1100
Subject: [PATCH 2/4] Correct bitmask

---
 etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 3972cef..79b52bf 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -147,7 +147,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## Panic on the above and bad page faults or some unexpected page flags: 36 = 0x24.
 ## Panic on the above and severe firmware bugs: 2084 = 0x824.
 ## Panic on the above and kernel live patching: 34852 = 0x8824.
-## Panic on the above and the loading of proprietary, out-of-tree, or unsigned modules: 47141 = 0xB7C5.
+## Panic on the above and the loading of proprietary, out-of-tree, or unsigned modules: 47141 = 0xB825.
 ## All must first be tested to ensure there are no pre-existing issues on user hardware.
 ## After confirming stability this enforces strict user-defined kernel operation and security at runtime.
 ##

From 650b923c7a88820d3a899596e32016e1c3f6cc57 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 13 Dec 2025 04:35:02 +0000
Subject: [PATCH 3/4] Update option to `panic_on_taint`

---
 README.md                                          |  4 ++--
 .../40_kernel_hardening.cfg#security-misc-shared   | 14 ++++++++------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 5edecca..82a0656 100644
--- a/README.md
+++ b/README.md
@@ -237,8 +237,8 @@ Kernel space:
   risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
 - Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
-  upon using out of specification hardware, bad page states, severe firmware bugs, and kernel
-  live patching. Can also include the loading of proprietary, out-of-tree, and unsigned modules.
+  upon using out of specification hardware, bad page states, severe firmware bugs. It can also
+  include the loading of proprietary, out-of-tree, and unsigned modules.
 
 - Prevent sensitive kernel information leaks in the console during boot.
 
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 4fc70e2..ab4e954 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -167,21 +167,23 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## Using kernel documentation can select a subset of taints to create a security policy.
 ## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask.
 ## Some example combinations are shown below.
-## Panic on using out of specification hardware: 4 = 0x4.
-## Panic on the above and bad page faults or some unexpected page flags: 36 = 0x24.
-## Panic on the above and severe firmware bugs: 2084 = 0x824.
-## Panic on the above and kernel live patching: 34852 = 0x8824.
-## Panic on the above and the loading of proprietary, out-of-tree, or unsigned modules: 47141 = 0xB825.
+## S - Panic on using out of specification hardware: 4 = 0x4.
+## B - On the above and bad page faults or some unexpected page flags: 36 = 0x24.
+## I - On the above and severe firmware bugs: 2084 = 0x824.
+## N - On the above and if an in-kernel test has been run: 264228 = 0x40824.
+## J - On the above and if userspace used a mutating debug operation: 788516 = 0xC0824.
+## G/P, O, E - On the above and the loading of proprietary, out-of-tree, or unsigned modules: 800805 = 0xC3825.
 ## All must first be tested to ensure there are no pre-existing issues on user hardware.
 ## After confirming stability this enforces strict user-defined kernel operation and security at runtime.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
 ## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US
 ## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/
+## https://github.com/Kicksecure/security-misc/pull/339
 ##
 ## Note that this must be used with panic=-1 for it to function as intended.
 ##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0x8824:
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0xC0824
 
 ## Prevent sensitive kernel information leaks in the console during boot.
 ## Must be used in combination with the kernel.printk sysctl.

From eaf0f814bdbe52739d3b3270bb2549bbdc2753f2 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 14 Dec 2025 11:18:08 +0000
Subject: [PATCH 4/4] Update option to `panic_on_taint`

---
 README.md                                             |  5 +++--
 .../40_kernel_hardening.cfg#security-misc-shared      | 11 ++++++-----
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 82a0656..f09ee40 100644
--- a/README.md
+++ b/README.md
@@ -237,8 +237,9 @@ Kernel space:
   risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
 - Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
-  upon using out of specification hardware, bad page states, severe firmware bugs. It can also
-  include the loading of proprietary, out-of-tree, and unsigned modules.
+  upon using out of specification hardware, bad page states, ACPI tables being overridden,
+  severe firmware bugs, in-kernel tests run, or mutating debug operations. It can also
+  include the loading of proprietary or out-of-tree modules.
 
 - Prevent sensitive kernel information leaks in the console during boot.
 
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index ab4e954..24d6d60 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -169,10 +169,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## Some example combinations are shown below.
 ## S - Panic on using out of specification hardware: 4 = 0x4.
 ## B - On the above and bad page faults or some unexpected page flags: 36 = 0x24.
-## I - On the above and severe firmware bugs: 2084 = 0x824.
-## N - On the above and if an in-kernel test has been run: 264228 = 0x40824.
-## J - On the above and if userspace used a mutating debug operation: 788516 = 0xC0824.
-## G/P, O, E - On the above and the loading of proprietary, out-of-tree, or unsigned modules: 800805 = 0xC3825.
+## A - On the above and ACPI tables are overridden by users: 292 = 0x124.
+## I - On the above and severe firmware bugs: 2340 = 0x924.
+## N - On the above and in-kernel tests have been run: 264484 = 0x40924.
+## J - On the above and userspace has used a mutating debug operation: 788772 = 0xC0924.
+## G/P, O - On the above and the loading of proprietary or out-of-tree modules: 792869 = 0xC1925.
 ## All must first be tested to ensure there are no pre-existing issues on user hardware.
 ## After confirming stability this enforces strict user-defined kernel operation and security at runtime.
 ##
@@ -183,7 +184,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 ## Note that this must be used with panic=-1 for it to function as intended.
 ##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0xC0824
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0xC0924
 
 ## Prevent sensitive kernel information leaks in the console during boot.
 ## Must be used in combination with the kernel.printk sysctl.