diff --git a/README.md b/README.md
index ac12886..e853332 100644
--- a/README.md
+++ b/README.md
@@ -52,8 +52,7 @@ configuration file and significant hardening is applied to a myriad of component
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 
-- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
-  the source of numerous kernel exploits.
+- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits.
 
 #### User space
 
@@ -225,8 +224,7 @@ Kernel space:
   since it may be slightly more resilient to attacks that are able to write
   arbitrary executables in memory.
 
-- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
-  to reduce attack surface.
+- Optional - Disable support for all x86 processes and syscalls to reduce attack surface.
 
 - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
   and other persistent data to either the UEFI variable storage or ACPI ERST backends.
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 671c28b..1f3cc7c 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -218,9 +218,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## KSPP=yes
 ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
-##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 
 ## Disable EFI persistent storage feature.
diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg
index f54247b..5da19e7 100644
--- a/etc/default/grub.d/41_recovery_restrict.cfg
+++ b/etc/default/grub.d/41_recovery_restrict.cfg
@@ -7,14 +7,17 @@
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
 ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
 
-## Disable access to single-user (recovery) mode.
+## Disable access to the GRUB single-user (recovery) mode menu entries.
 ##
 ## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
 ##
 GRUB_DISABLE_RECOVERY="true"
 
 ## Disable access to Dracut's recovery console.
+## Prevents the emergency shell from starting automatically during boot failures.
 ##
+## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
+## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell
 ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
 ##
 GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"
diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf
index 5ce1edc..936e26a 100644
--- a/etc/modprobe.d/30_security-misc_blacklist.conf
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf
@@ -27,7 +27,7 @@ blacklist sr_mod
 ## Partial selection of their infrastructure blacklist.
 ## Duplicate and already disabled modules have been omitted.
 ##
-## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf
+## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf
 ##
 #blacklist cfg80211
 #blacklist intel_agp
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index eaa671e..23dc6ef 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -197,19 +197,17 @@ kernel.perf_event_paranoid=3
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
 ## Will break out-dated screen readers that continue to rely on this legacy functionality.
+## Note this was already disabled by default as of Linux kernel 6.2.
 ##
 ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
 ##
 ## KSPP=yes
 ## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
 ##
-## TODO: Debian 13 Trixie
-## This is disabled by default when using Linux kernel >= 6.2.
-##
 dev.tty.legacy_tiocsti=0
 
 ## Disable asynchronous I/O for all processes.
-## Leading cause of numerous kernel exploits.
+## Use of io_uring has been the leading cause of numerous kernel exploits.
 ## Disabling will reduce the read/write performance of storage devices.
 ##
 ## https://en.wikipedia.org/wiki/Io_uring#Security
@@ -218,9 +216,6 @@ dev.tty.legacy_tiocsti=0
 ## https://github.com/moby/moby/pull/46762
 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
-##
 kernel.io_uring_disabled=2
 
 ## 2. User Space: