CONFIG_EFI_VARS might be good to disable in the host kernel. It exposes a lot of attack surface as it allows you to mess with EFI variables.
linux/Kconfig at master · torvalds/linux · GitHub
There have been cases of people bricking their computers by accidentally deleting EFI variables. An attacker might be able to do far more by writing specific things to them.
CLIP OS disables this.
There are also the CONFIG_DEV_COREDUMP, CONFIG_WANT_DEV_COREDUMP and CONFIG_ALLOW_DEV_COREDUMP options.
linux/Kconfig at master · torvalds/linux · GitHub
These seem to add a “device coredump” thing regardless of CONFIG_COREDUMP (which we disable).