From b9d4f0aaa565ab478a8e0ef4cef27bc49457da42 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Sun, 14 Dec 2025 14:24:33 -0600
Subject: [PATCH] Add minor clarifications

---
 README.md                                                   | 2 +-
 .../grub.d/40_kernel_hardening.cfg#security-misc-shared     | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 43677cd..00b559a 100644
--- a/README.md
+++ b/README.md
@@ -244,7 +244,7 @@ Kernel space:
 
 - Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include
   upon using out of specification hardware, bad page states, ACPI tables being overridden,
-  severe firmware bugs, in-kernel tests run, or mutating debug operations. It can also
+  severe firmware bugs, in-kernel tests run, or mutating fwctl debug operations. It can also
   include the loading of proprietary or out-of-tree modules.
 
 - Prevent sensitive kernel information leaks in the console during boot.
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index e10ea17..d75922d 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -164,7 +164,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
 
 ## Force the kernel to immediately panic if it becomes tainted.
-## Using kernel documentation can select a subset of taints to create a security policy.
+## Using kernel documentation, one can select a subset of taints to create a security policy.
 ## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask.
 ## Some example combinations are shown below.
 ## S - Panic on using out of specification hardware: 4 = 0x4.
@@ -172,10 +172,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## A - On the above and ACPI tables are overridden by users: 292 = 0x124.
 ## I - On the above and severe firmware bugs: 2340 = 0x924.
 ## N - On the above and in-kernel tests have been run: 264484 = 0x40924.
-## J - On the above and userspace has used a mutating debug operation: 788772 = 0xC0924.
+## J - On the above and userspace has used a mutating debug operation in fwctl: 788772 = 0xC0924.
 ## G/P, O - On the above and the loading of proprietary or out-of-tree modules: 792869 = 0xC1925.
 ## All must first be tested to ensure there are no pre-existing issues on user hardware.
-## After confirming stability this enforces strict user-defined kernel operation and security at runtime.
+## After confirming stability this reduces attack surface.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
 ## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US