diff --git a/README.md b/README.md
index ac12886..ed9c740 100644
--- a/README.md
+++ b/README.md
@@ -221,9 +221,8 @@ Kernel space:
 
 - Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
 
-- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2)
-  since it may be slightly more resilient to attacks that are able to write
-  arbitrary executables in memory.
+- Use kCFI as the default CFI implementation as it is more resilient to attacks that able
+  to write arbitrary executables into memory omitting the necessary hash validation.
 
 - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
   to reduce attack surface.
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 671c28b..685f673 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -186,15 +186,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## The default implementation is FineIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
-## FineIBT may result in some performance benefits as it only performs checking at destinations.
+## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
+## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
 ## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
-## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
-## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
-## Do not modify from the default setting if unsure of implications.
 ##
-## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
+## https://lwn.net/Articles/891976/
 ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
 ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
 ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
 ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
 ## https://docs.kernel.org/next/x86/shstk.html
@@ -205,10 +204,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## KSPP=yes
 ## KSPP sets the kernel parameter.
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
 
 ## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.