disable kexec (revert enabling kexec)

remove kexec-utils for ram-wipe since moved to its own package

debian/control

@@ -16,7 +16,7 @@ Package: security-misc
 Architecture: all
 Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin,
  apparmor-profile-dist, helper-scripts, libpam-modules-bin,
- secure-delete, dmsetup, kexec-tools, ${misc:Depends}
+ secure-delete, dmsetup, ${misc:Depends}
 Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest
 Description: Enhances Miscellaneous Security Settings
  https://github.com/Whonix/security-misc/blob/master/README.md

etc/sysctl.d/30_security-misc.conf

@@ -37,8 +37,7 @@ net.core.bpf_jit_harden=2
 ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
 
 ## Disables kexec which can be used to replace the running kernel.
-## kexec is required for cold boot attack defense
-## kernel.kexec_load_disabled=1
+kernel.kexec_load_disabled=1
 
 ## Hides kernel addresses in various files in /proc.
 ## Kernel addresses can be very useful in certain exploits.