Can any third party help to review hardened-vm-kernel? Could you submit this to GitHub - anthraxx/linux-hardened: Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening please?
Could you you please submit this please to Debian or Linux upstream? At least need to see someone else’s feedback.
That’s the idea of verified boot.
(enable Linux kernel gpg verification in grub and/or enable Secure Boot by default)
Indeed. I don’t see any substitute for verified boot. Anything else will either be limiting features (too much) and even then there might be clever ways to circumvent it.