From c0ad57779342c138ade0d6ddff0898f75411157a Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Tue, 19 Aug 2025 11:01:06 +1000
Subject: [PATCH] Update docs on oops boot parameter

---
 etc/default/grub.d/40_kernel_hardening.cfg | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 671c28b..38f4ad3 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -118,16 +118,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
-## Force the kernel to panic on "oopses".
-## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
+## Force the kernel to immediately panic on "oopses".
 ## Panics may be due to false-positives such as bad drivers.
+## Oopses are serious but non-fatal errors.
+## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
+## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
-## KSPP=partial
-## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##