You mean using CONFIG_CMDLINE="hardened-kernel" to detect that a hardened kernel is running and therefore setting different grub command line options? That might not work well. Could be a similar issue to this.
- When Whonix is build in chroot, this will not be set. Hence,
update-grubwould not set these options. - Similar when someone is still booting a standard kernel and wants to try out the hardened kernel. At kernel installation time, still the standard kernel is running. Hence,
update-grubwould not set these options. - When booting a hardened kernel,
update-grubwould set these kernel command for co-installed standard kernels too.