diff --git a/.reuse/dep5 b/.reuse/dep5
index 6dfb6e43a..dbf91775b 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -7,5 +7,5 @@ Copyright: 2022-2024 Technology Innovation Institute (TII) <https://github.com/t
 License: Apache-2.0
 Files: 
   *.lock *.png *.svg *.patch *.db *.key *.pem *.cer *.p12
-  modules/host/ghaf_host_hardened_baseline-x86
+  modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
   modules/host/ghaf_host_hardened_baseline-jetson-orin
diff --git a/docs/src/architecture/hardening.md b/docs/src/architecture/hardening.md
index 47aaa40da..ea8281ee3 100644
--- a/docs/src/architecture/hardening.md
+++ b/docs/src/architecture/hardening.md
@@ -25,10 +25,10 @@ NixOS provides several mechanisms to customize the kernel. The main methods are:
   ```
   ~/ghaf $ nix develop .#devShells.x86_64-linux.kernel-x86
   ...
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ cp ../modules/host/ghaf_host_hardened_baseline .config
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ make menuconfig
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make menuconfig
   ...
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ make -j$(nproc)
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make -j$(nproc)
   ...
   Kernel: arch/x86/boot/bzImage
   ```
@@ -36,25 +36,31 @@ NixOS provides several mechanisms to customize the kernel. The main methods are:
 * Booting the built kernel with QEMU:
 
   ```
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ qemu-system-x86_64 -kernel arch/x86/boot/bzImage
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ qemu-system-x86_64 -kernel arch/x86/boot/bzImage
   ```
 
 * [Validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker):
 
   ```
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ kernel-hardening-checker -c ../modules/host/ghaf_host_hardened_baseline
-  [+] Kconfig file to check: ../modules/host/ghaf_host_hardened_baseline
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/hardware/x86_64-generic/kernel/host/configs GS=../modules/hardware/x86_64-generic/kernel/guest/configs
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ ./scripts/kconfig/merge_config.sh .config $HS/virtualization.config $HS/networking.config $HS/usb.config $HS/user-input-devices.config $HS/debug.config $GS/guest.config $GS/display-gpu.config
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ kernel-hardening-checker -c .config
+  [+] Kconfig file to check: .config
   [+] Detected microarchitecture: X86_64
   [+] Detected kernel version: 6.6
   [+] Detected compiler: GCC 120300
   ...
-  [+] Config check is finished: 'OK' - 188 / 'FAIL' - 5
-  [ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ kernel-hardening-checker -c ../modules/host/ghaf_host_hardened_baseline|grep 'FAIL: '
+  [+] Config check is finished: 'OK' - 188 / 'FAIL' - 8
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ kernel-hardening-checker -c .config| grep 'FAIL: '
   CONFIG_CFI_CLANG                        |kconfig|     y      |   kspp   | self_protection  | FAIL: is not found
   CONFIG_CFI_PERMISSIVE                   |kconfig| is not set |   kspp   | self_protection  | FAIL: CONFIG_CFI_CLANG is not "y"
   CONFIG_MODULES                          |kconfig| is not set |   kspp   |cut_attack_surface| FAIL: "y"
+  CONFIG_KCMP                             |kconfig| is not set |  grsec   |cut_attack_surface| FAIL: "y"
   CONFIG_FB                               |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
   CONFIG_VT                               |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
+  CONFIG_KSM                              |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"
+  CONFIG_TRIM_UNUSED_KSYMS                |kconfig|     y      |    my    |cut_attack_surface| FAIL: "is not set"
   ```
 
 
@@ -65,6 +71,48 @@ The host kernel runs on bare metal. The kernel is provided either with Linux ups
 
 #### `x86-64-linux`
 
-The host kernel hardening is based on Linux `make tinyconfig`. The default `tinyconfig` fails to assertions on NixOS without modifications. Assertions are fixed in `ghaf_host_hardened_baseline` Linux configuration under Ghaf `modules/host/`.
+The host kernel hardening is based on Linux `make tinyconfig`. The
+default `tinyconfig` fails to assertions on NixOS without
+modifications. Assertions are fixed in the `ghaf_host_hardened_baseline` Linux configuration under Ghaf
+`modules/hardware/x86_64-generic/kernel/configs`. Resulting baseline
+kernel configuration is generic for x86_64 hardware architecture devices.
 
 In addition, NixOS (Ghaf baseline dependency) requires several kernel modules that are added to the config or ignored with `allowMissing = true`. As of now, the kernel builds and early boots on Lenovo X1.
+
+### Virtualization Support
+
+The host Virtualization support will add the required kernel config dependency to the Ghaf baseline by which NixOS has virtualization enabled. It can be enabled with the following flag `ghaf.host.kernel_virtualization_hardening.enable` for Lenovo X1.
+
+### Networking Support
+
+The host Networking support will add the required kernel config dependency to the Ghaf baseline by which NixOS has networking enabled, It can be enabled with the following flag `ghaf.host.kernel_networking_hardening.enable` for Lenovo X1.
+
+### USB Support
+
+USB support on host is for the `-debug-profile` builds, not for hardened host -release-builds. As of now, USB support needs to be enabled when debug support to host via USB ethernet adapter (Lenovo X1) is needed or when the user want to boot Ghaf using an external SSD. It is optional in case Ghaf is used with internal NVME.
+
+It can be enabled with the following flag `ghaf.host.kernel_usb_hardening.enable` for Lenovo X1.
+
+### User Input Devices Support
+
+The User Input Devices support will add the required kernel config dependency to the Ghaf baseline by which NixOS has user input devices enabled. It can be enabled with the following flag `ghaf.host.kernel_inputdevices_hardening.enable` for Lenovo X1.
+
+To enable GUI, set Virtualization, Networking and User Input Devices support. As of now, the kernel builds and can boot on Lenovo X1.
+
+### Debug Support
+
+The Debug support on host is for the `-debug-profile` builds, not for hardened host -release-builds. It can be helpful when debugging functionality is needed in a development environment.
+
+It can be enabled with the following flag `ghaf.host.kernel.debug_hardening.enable` for Lenovo X1.
+
+### Guest Support
+
+The Guest support will add the required kernel config dependency to the Ghaf baseline by which NixOS has guest enabled. The added functionality is vsock for host-to-guest and guest-to-guest communication.
+
+It can be enabled with the following flag `guest.hardening.enable` for Lenovo X1.
+
+### Guest Graphics Support
+
+The Guest Graphics support will add the required kernel config dependency to the Ghaf baseline by which NixOS has guest graphics enabled. The added functionality is for guest with graphics support enabled.
+
+It can be enabled with the following flag `guest.graphics_hardening.enable` for Lenovo X1.
\ No newline at end of file
diff --git a/modules/hardware/lenovo-x1/kernel/guest/test/default.nix b/modules/hardware/lenovo-x1/kernel/guest/test/default.nix
new file mode 100644
index 000000000..288fd2e55
--- /dev/null
+++ b/modules/hardware/lenovo-x1/kernel/guest/test/default.nix
@@ -0,0 +1,6 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{pkgs, ...}: let
+  config = pkgs.nixos [./test-configuration.nix];
+in
+  config.config.system.build.toplevel
diff --git a/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix b/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix
new file mode 100644
index 000000000..cbb6e4694
--- /dev/null
+++ b/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix
@@ -0,0 +1,34 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../../../x86_64-generic/kernel/host/default.nix
+    ../../../../x86_64-generic/kernel/guest/default.nix
+  ];
+
+  # baseline, virtualization and network hardening are
+  # generic to all x86_64 devices
+  config.ghaf.host.kernel.hardening.enable = true;
+  config.ghaf.host.kernel.hardening.virtualization.enable = true;
+  config.ghaf.host.kernel.hardening.networking.enable = true;
+  config.ghaf.host.kernel.hardening.inputdevices.enable = true;
+  # usb/debug hardening is host optional but required for -debug builds
+  config.ghaf.host.kernel.hardening.usb.enable = true;
+  config.ghaf.host.kernel.hardening.debug.enable = true;
+
+  # guest VM kernel specific options
+  config.ghaf.guest.kernel.hardening.enable = true;
+  config.ghaf.guest.kernel.hardening.graphics.enable = true;
+
+  # required to module test a module via top level configuration
+  config.boot.loader.systemd-boot.enable = true;
+  config.fileSystems."/" = {
+    device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000";
+    fsType = "ext4";
+  };
+  config.system.stateVersion = lib.trivial.release;
+}
diff --git a/modules/host/ghaf_host_hardened_baseline-x86 b/modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
similarity index 91%
rename from modules/host/ghaf_host_hardened_baseline-x86
rename to modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
index b55448c28..653d44b2b 100644
--- a/modules/host/ghaf_host_hardened_baseline-x86
+++ b/modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
@@ -28,7 +28,7 @@ CONFIG_THREAD_INFO_IN_TASK=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 # CONFIG_COMPILE_TEST is not set
 CONFIG_WERROR=y
-CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION="-ghaf-hardened"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_BUILD_SALT=""
 CONFIG_HAVE_KERNEL_GZIP=y
@@ -864,60 +864,11 @@ CONFIG_UNIX=y
 CONFIG_UNIX_SCM=y
 CONFIG_AF_UNIX_OOB=y
 # CONFIG_UNIX_DIAG is not set
-# CONFIG_TLS is not set
-# CONFIG_XFRM_USER is not set
-# CONFIG_NET_KEY is not set
-CONFIG_INET=y
-# CONFIG_IP_MULTICAST is not set
-# CONFIG_IP_ADVANCED_ROUTER is not set
-# CONFIG_IP_PNP is not set
-# CONFIG_NET_IPIP is not set
-# CONFIG_NET_IPGRE_DEMUX is not set
-CONFIG_NET_IP_TUNNEL=y
-CONFIG_SYN_COOKIES=y
-# CONFIG_NET_IPVTI is not set
-# CONFIG_NET_FOU is not set
-# CONFIG_NET_FOU_IP_TUNNELS is not set
-# CONFIG_INET_AH is not set
-# CONFIG_INET_ESP is not set
-# CONFIG_INET_IPCOMP is not set
-CONFIG_INET_TABLE_PERTURB_ORDER=16
-CONFIG_INET_TUNNEL=y
-# CONFIG_INET_DIAG is not set
-# CONFIG_TCP_CONG_ADVANCED is not set
-CONFIG_TCP_CONG_CUBIC=y
-CONFIG_DEFAULT_TCP_CONG="cubic"
-# CONFIG_TCP_MD5SIG is not set
-CONFIG_IPV6=y
-# CONFIG_IPV6_ROUTER_PREF is not set
-# CONFIG_IPV6_OPTIMISTIC_DAD is not set
-# CONFIG_INET6_AH is not set
-# CONFIG_INET6_ESP is not set
-# CONFIG_INET6_IPCOMP is not set
-# CONFIG_IPV6_MIP6 is not set
-# CONFIG_IPV6_VTI is not set
-CONFIG_IPV6_SIT=y
-# CONFIG_IPV6_SIT_6RD is not set
-CONFIG_IPV6_NDISC_NODETYPE=y
-# CONFIG_IPV6_TUNNEL is not set
-# CONFIG_IPV6_MULTIPLE_TABLES is not set
-# CONFIG_IPV6_MROUTE is not set
-# CONFIG_IPV6_SEG6_LWTUNNEL is not set
-# CONFIG_IPV6_SEG6_HMAC is not set
-# CONFIG_IPV6_RPL_LWTUNNEL is not set
-# CONFIG_IPV6_IOAM6_LWTUNNEL is not set
-# CONFIG_NETLABEL is not set
-# CONFIG_MPTCP is not set
+# CONFIG_INET is not set
 CONFIG_NETWORK_SECMARK=y
 # CONFIG_NETWORK_PHY_TIMESTAMPING is not set
 # CONFIG_NETFILTER is not set
-# CONFIG_BPFILTER is not set
-# CONFIG_IP_DCCP is not set
-# CONFIG_IP_SCTP is not set
-# CONFIG_RDS is not set
-# CONFIG_TIPC is not set
 # CONFIG_ATM is not set
-# CONFIG_L2TP is not set
 # CONFIG_BRIDGE is not set
 # CONFIG_VLAN_8021Q is not set
 # CONFIG_LLC2 is not set
@@ -925,22 +876,17 @@ CONFIG_NETWORK_SECMARK=y
 # CONFIG_X25 is not set
 # CONFIG_LAPB is not set
 # CONFIG_PHONET is not set
-# CONFIG_6LOWPAN is not set
 # CONFIG_IEEE802154 is not set
 # CONFIG_NET_SCHED is not set
 # CONFIG_DCB is not set
 # CONFIG_DNS_RESOLVER is not set
 # CONFIG_BATMAN_ADV is not set
-# CONFIG_OPENVSWITCH is not set
 # CONFIG_VSOCKETS is not set
 # CONFIG_NETLINK_DIAG is not set
 # CONFIG_MPLS is not set
 # CONFIG_NET_NSH is not set
 # CONFIG_HSR is not set
-# CONFIG_NET_SWITCHDEV is not set
-# CONFIG_NET_L3_MASTER_DEV is not set
 # CONFIG_QRTR is not set
-# CONFIG_NET_NCSI is not set
 CONFIG_PCPU_DEV_REFCNT=y
 CONFIG_MAX_SKB_FRAGS=17
 CONFIG_RPS=y
@@ -956,15 +902,12 @@ CONFIG_NET_FLOW_LIMIT=y
 #
 # Network testing
 #
-# CONFIG_NET_PKTGEN is not set
 # end of Network testing
 # end of Networking options
 
 # CONFIG_HAMRADIO is not set
 # CONFIG_CAN is not set
 # CONFIG_BT is not set
-# CONFIG_AF_RXRPC is not set
-# CONFIG_AF_KCM is not set
 # CONFIG_MCTP is not set
 CONFIG_WIRELESS=y
 # CONFIG_CFG80211 is not set
@@ -976,13 +919,10 @@ CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
 # CONFIG_RFKILL is not set
 # CONFIG_NET_9P is not set
 # CONFIG_CAIF is not set
-# CONFIG_CEPH_LIB is not set
 # CONFIG_NFC is not set
 # CONFIG_PSAMPLE is not set
 # CONFIG_NET_IFE is not set
 # CONFIG_LWTUNNEL is not set
-CONFIG_DST_CACHE=y
-CONFIG_GRO_CELLS=y
 # CONFIG_FAILOVER is not set
 CONFIG_ETHTOOL_NETLINK=y
 
@@ -1160,12 +1100,14 @@ CONFIG_BLK_DEV=y
 # CONFIG_BLK_DEV_FD is not set
 # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
 # CONFIG_BLK_DEV_LOOP is not set
-# CONFIG_BLK_DEV_DRBD is not set
+
+#
+# DRBD disabled because PROC_FS or INET not selected
+#
 # CONFIG_BLK_DEV_NBD is not set
 # CONFIG_BLK_DEV_RAM is not set
 # CONFIG_CDROM_PKTCDVD is not set
 # CONFIG_ATA_OVER_ETH is not set
-# CONFIG_BLK_DEV_RBD is not set
 # CONFIG_BLK_DEV_UBLK is not set
 
 #
@@ -1176,7 +1118,6 @@ CONFIG_BLK_DEV_NVME=y
 # CONFIG_NVME_MULTIPATH is not set
 # CONFIG_NVME_VERBOSE_ERRORS is not set
 # CONFIG_NVME_FC is not set
-# CONFIG_NVME_TCP is not set
 # CONFIG_NVME_AUTH is not set
 # end of NVME Support
 
@@ -1220,7 +1161,6 @@ CONFIG_BLK_DEV_NVME=y
 # CONFIG_BCM_VK is not set
 # CONFIG_MISC_ALCOR_PCI is not set
 # CONFIG_MISC_RTSX_PCI is not set
-# CONFIG_MISC_RTSX_USB is not set
 # CONFIG_UACCE is not set
 # CONFIG_PVPANIC is not set
 # end of Misc devices
@@ -1260,9 +1200,7 @@ CONFIG_BLK_DEV_BSG=y
 # end of SCSI Transports
 
 CONFIG_SCSI_LOWLEVEL=y
-# CONFIG_ISCSI_TCP is not set
 # CONFIG_ISCSI_BOOT_SYSFS is not set
-# CONFIG_SCSI_CXGB3_ISCSI is not set
 # CONFIG_SCSI_BNX2_ISCSI is not set
 # CONFIG_BE2ISCSI is not set
 # CONFIG_BLK_DEV_3W_XXXX_RAID is not set
@@ -1369,10 +1307,7 @@ CONFIG_MOUSE_PS2_TRACKPOINT=y
 # CONFIG_MOUSE_PS2_TOUCHKIT is not set
 CONFIG_MOUSE_PS2_FOCALTECH=y
 # CONFIG_MOUSE_SERIAL is not set
-# CONFIG_MOUSE_APPLETOUCH is not set
-# CONFIG_MOUSE_BCM5974 is not set
 # CONFIG_MOUSE_VSXXXAA is not set
-# CONFIG_MOUSE_SYNAPTICS_USB is not set
 # CONFIG_INPUT_JOYSTICK is not set
 # CONFIG_INPUT_TABLET is not set
 # CONFIG_INPUT_TOUCHSCREEN is not set
@@ -1463,7 +1398,6 @@ CONFIG_HW_RANDOM_TPM=y
 # CONFIG_TCG_VTPM_PROXY is not set
 # CONFIG_TELCLOCK is not set
 # CONFIG_XILLYBUS is not set
-# CONFIG_XILLYUSB is not set
 # end of Character devices
 
 #
@@ -1546,7 +1480,6 @@ CONFIG_BCMA_POSSIBLE=y
 # Multifunction device drivers
 #
 # CONFIG_MFD_MADERA is not set
-# CONFIG_MFD_DLN2 is not set
 # CONFIG_LPC_ICH is not set
 # CONFIG_LPC_SCH is not set
 # CONFIG_MFD_INTEL_LPSS_ACPI is not set
@@ -1554,7 +1487,6 @@ CONFIG_BCMA_POSSIBLE=y
 # CONFIG_MFD_JANZ_CMODIO is not set
 # CONFIG_MFD_KEMPLD is not set
 # CONFIG_MFD_MT6397 is not set
-# CONFIG_MFD_VIPERBOARD is not set
 # CONFIG_MFD_RDC321X is not set
 # CONFIG_MFD_SM501 is not set
 # CONFIG_MFD_SYSCON is not set
@@ -1623,8 +1555,6 @@ CONFIG_FB_EFI=y
 # CONFIG_FB_ARK is not set
 # CONFIG_FB_PM3 is not set
 # CONFIG_FB_CARMINE is not set
-# CONFIG_FB_SMSCUFX is not set
-# CONFIG_FB_UDL is not set
 # CONFIG_FB_IBM_GXT4500 is not set
 # CONFIG_FB_VIRTUAL is not set
 # CONFIG_FB_METRONOME is not set
@@ -1680,34 +1610,26 @@ CONFIG_HID_GENERIC=y
 # Special HID drivers
 #
 # CONFIG_HID_A4TECH is not set
-# CONFIG_HID_ACCUTOUCH is not set
 # CONFIG_HID_ACRUX is not set
-# CONFIG_HID_APPLEIR is not set
 # CONFIG_HID_AUREAL is not set
 # CONFIG_HID_BELKIN is not set
-# CONFIG_HID_BETOP_FF is not set
 # CONFIG_HID_CHERRY is not set
-# CONFIG_HID_CHICONY is not set
 # CONFIG_HID_COUGAR is not set
 # CONFIG_HID_MACALLY is not set
 # CONFIG_HID_CMEDIA is not set
-# CONFIG_HID_CREATIVE_SB0540 is not set
 # CONFIG_HID_CYPRESS is not set
 # CONFIG_HID_DRAGONRISE is not set
 # CONFIG_HID_EMS_FF is not set
 # CONFIG_HID_ELECOM is not set
-# CONFIG_HID_ELO is not set
 # CONFIG_HID_EVISION is not set
 # CONFIG_HID_EZKEY is not set
 # CONFIG_HID_GEMBIRD is not set
 # CONFIG_HID_GFRM is not set
 # CONFIG_HID_GLORIOUS is not set
-# CONFIG_HID_HOLTEK is not set
 # CONFIG_HID_GOOGLE_STADIA_FF is not set
 # CONFIG_HID_VIVALDI is not set
 # CONFIG_HID_KEYTOUCH is not set
 # CONFIG_HID_KYE is not set
-# CONFIG_HID_UCLOGIC is not set
 # CONFIG_HID_WALTOP is not set
 # CONFIG_HID_VIEWSONIC is not set
 # CONFIG_HID_VRC2 is not set
@@ -1720,35 +1642,26 @@ CONFIG_HID_GENERIC=y
 # CONFIG_HID_KENSINGTON is not set
 # CONFIG_HID_LCPOWER is not set
 # CONFIG_HID_LENOVO is not set
-# CONFIG_HID_LETSKETCH is not set
 # CONFIG_HID_MAGICMOUSE is not set
 # CONFIG_HID_MALTRON is not set
 # CONFIG_HID_MAYFLASH is not set
-# CONFIG_HID_MEGAWORLD_FF is not set
 # CONFIG_HID_REDRAGON is not set
 # CONFIG_HID_MICROSOFT is not set
 # CONFIG_HID_MONTEREY is not set
 # CONFIG_HID_MULTITOUCH is not set
 # CONFIG_HID_NTI is not set
-# CONFIG_HID_NTRIG is not set
 # CONFIG_HID_ORTEK is not set
 # CONFIG_HID_PANTHERLORD is not set
-# CONFIG_HID_PENMOUNT is not set
 # CONFIG_HID_PETALYNX is not set
 # CONFIG_HID_PICOLCD is not set
 # CONFIG_HID_PLANTRONICS is not set
 # CONFIG_HID_PXRC is not set
 # CONFIG_HID_RAZER is not set
 # CONFIG_HID_PRIMAX is not set
-# CONFIG_HID_RETRODE is not set
-# CONFIG_HID_ROCCAT is not set
 # CONFIG_HID_SAITEK is not set
-# CONFIG_HID_SAMSUNG is not set
 # CONFIG_HID_SEMITEK is not set
-# CONFIG_HID_SIGMAMICRO is not set
 # CONFIG_HID_SPEEDLINK is not set
 # CONFIG_HID_STEAM is not set
-# CONFIG_HID_STEELSERIES is not set
 # CONFIG_HID_SUNPLUS is not set
 # CONFIG_HID_RMI is not set
 # CONFIG_HID_GREENASIA is not set
@@ -1756,9 +1669,7 @@ CONFIG_HID_GENERIC=y
 # CONFIG_HID_TIVO is not set
 # CONFIG_HID_TOPSEED is not set
 # CONFIG_HID_TOPRE is not set
-# CONFIG_HID_THRUSTMASTER is not set
 # CONFIG_HID_UDRAW_PS3 is not set
-# CONFIG_HID_WACOM is not set
 # CONFIG_HID_XINMO is not set
 # CONFIG_HID_ZEROPLUS is not set
 # CONFIG_HID_ZYDACRON is not set
@@ -1771,14 +1682,6 @@ CONFIG_HID_GENERIC=y
 #
 # end of HID-BPF support
 
-#
-# USB HID support
-#
-CONFIG_USB_HID=y
-# CONFIG_HID_PID is not set
-# CONFIG_USB_HIDDEV is not set
-# end of USB HID support
-
 #
 # Intel ISH HID support
 #
@@ -1792,136 +1695,12 @@ CONFIG_USB_HID=y
 # end of AMD SFH HID Support
 
 CONFIG_USB_OHCI_LITTLE_ENDIAN=y
-CONFIG_USB_SUPPORT=y
-CONFIG_USB_COMMON=y
-# CONFIG_USB_ULPI_BUS is not set
-CONFIG_USB_ARCH_HAS_HCD=y
-CONFIG_USB=y
-CONFIG_USB_PCI=y
-# CONFIG_USB_ANNOUNCE_NEW_DEVICES is not set
-
-#
-# Miscellaneous USB options
-#
-CONFIG_USB_DEFAULT_PERSIST=y
-# CONFIG_USB_FEW_INIT_RETRIES is not set
-# CONFIG_USB_DYNAMIC_MINORS is not set
-# CONFIG_USB_OTG_PRODUCTLIST is not set
-# CONFIG_USB_OTG_DISABLE_EXTERNAL_HUB is not set
-CONFIG_USB_AUTOSUSPEND_DELAY=2
-# CONFIG_USB_MON is not set
-
-#
-# USB Host Controller Drivers
-#
-# CONFIG_USB_C67X00_HCD is not set
-CONFIG_USB_XHCI_HCD=y
-# CONFIG_USB_XHCI_DBGCAP is not set
-CONFIG_USB_XHCI_PCI=y
-# CONFIG_USB_XHCI_PCI_RENESAS is not set
-# CONFIG_USB_XHCI_PLATFORM is not set
-# CONFIG_USB_EHCI_HCD is not set
-# CONFIG_USB_OXU210HP_HCD is not set
-# CONFIG_USB_ISP116X_HCD is not set
-# CONFIG_USB_OHCI_HCD is not set
-# CONFIG_USB_UHCI_HCD is not set
-# CONFIG_USB_SL811_HCD is not set
-# CONFIG_USB_R8A66597_HCD is not set
-# CONFIG_USB_HCD_TEST_MODE is not set
-
-#
-# USB Device Class drivers
-#
-# CONFIG_USB_ACM is not set
-# CONFIG_USB_PRINTER is not set
-# CONFIG_USB_WDM is not set
-# CONFIG_USB_TMC is not set
-
-#
-# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
-#
-
-#
-# also be needed; see USB_STORAGE Help for more info
-#
-CONFIG_USB_STORAGE=y
-# CONFIG_USB_STORAGE_DEBUG is not set
-# CONFIG_USB_STORAGE_REALTEK is not set
-# CONFIG_USB_STORAGE_DATAFAB is not set
-# CONFIG_USB_STORAGE_FREECOM is not set
-# CONFIG_USB_STORAGE_ISD200 is not set
-# CONFIG_USB_STORAGE_USBAT is not set
-# CONFIG_USB_STORAGE_SDDR09 is not set
-# CONFIG_USB_STORAGE_SDDR55 is not set
-# CONFIG_USB_STORAGE_JUMPSHOT is not set
-# CONFIG_USB_STORAGE_ALAUDA is not set
-# CONFIG_USB_STORAGE_ONETOUCH is not set
-# CONFIG_USB_STORAGE_KARMA is not set
-# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
-# CONFIG_USB_STORAGE_ENE_UB6250 is not set
-CONFIG_USB_UAS=y
-
-#
-# USB Imaging devices
-#
-# CONFIG_USB_MDC800 is not set
-# CONFIG_USB_MICROTEK is not set
-# CONFIG_USBIP_CORE is not set
-
-#
-# USB dual-mode controller drivers
-#
-# CONFIG_USB_CDNS_SUPPORT is not set
-# CONFIG_USB_MUSB_HDRC is not set
-# CONFIG_USB_DWC3 is not set
-# CONFIG_USB_DWC2 is not set
-# CONFIG_USB_ISP1760 is not set
-
-#
-# USB port drivers
-#
-# CONFIG_USB_SERIAL is not set
-
-#
-# USB Miscellaneous drivers
-#
-# CONFIG_USB_EMI62 is not set
-# CONFIG_USB_EMI26 is not set
-# CONFIG_USB_ADUTUX is not set
-# CONFIG_USB_SEVSEG is not set
-# CONFIG_USB_LEGOTOWER is not set
-# CONFIG_USB_LCD is not set
-# CONFIG_USB_CYPRESS_CY7C63 is not set
-# CONFIG_USB_CYTHERM is not set
-# CONFIG_USB_IDMOUSE is not set
-# CONFIG_USB_APPLEDISPLAY is not set
-# CONFIG_APPLE_MFI_FASTCHARGE is not set
-# CONFIG_USB_LD is not set
-# CONFIG_USB_TRANCEVIBRATOR is not set
-# CONFIG_USB_IOWARRIOR is not set
-# CONFIG_USB_TEST is not set
-# CONFIG_USB_EHSET_TEST_FIXTURE is not set
-# CONFIG_USB_ISIGHTFW is not set
-# CONFIG_USB_YUREX is not set
-# CONFIG_USB_EZUSB_FX2 is not set
-# CONFIG_USB_LINK_LAYER_TEST is not set
-# CONFIG_USB_CHAOSKEY is not set
-
-#
-# USB Physical Layer drivers
-#
-# CONFIG_NOP_USB_XCEIV is not set
-# end of USB Physical Layer drivers
-
-# CONFIG_USB_GADGET is not set
-# CONFIG_TYPEC is not set
-# CONFIG_USB_ROLE_SWITCH is not set
+# CONFIG_USB_SUPPORT is not set
 # CONFIG_MMC is not set
 # CONFIG_SCSI_UFSHCD is not set
 # CONFIG_MEMSTICK is not set
 # CONFIG_NEW_LEDS is not set
 # CONFIG_ACCESSIBILITY is not set
-# CONFIG_INFINIBAND is not set
 CONFIG_EDAC_ATOMIC_SCRUB=y
 CONFIG_EDAC_SUPPORT=y
 CONFIG_RTC_LIB=y
@@ -2078,7 +1857,6 @@ CONFIG_INTEL_IOMMU_PERF_EVENTS=y
 # PHY Subsystem
 #
 # CONFIG_GENERIC_PHY is not set
-# CONFIG_USB_LGM_PHY is not set
 # CONFIG_PHY_CAN_TRANSCEIVER is not set
 
 #
@@ -2222,13 +2000,6 @@ CONFIG_EFIVAR_FS=y
 
 # CONFIG_MISC_FILESYSTEMS is not set
 CONFIG_NETWORK_FILESYSTEMS=y
-# CONFIG_NFS_FS is not set
-# CONFIG_NFSD is not set
-# CONFIG_CEPH_FS is not set
-# CONFIG_CIFS is not set
-# CONFIG_SMB_SERVER is not set
-# CONFIG_CODA_FS is not set
-# CONFIG_AFS_FS is not set
 CONFIG_NLS=y
 CONFIG_NLS_DEFAULT="iso8859-1"
 CONFIG_NLS_CODEPAGE_437=y
@@ -2298,19 +2069,10 @@ CONFIG_SECURITY=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_PATH=y
 # CONFIG_INTEL_TXT is not set
-CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_HARDENED_USERCOPY=y
 CONFIG_FORTIFY_SOURCE=y
 CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
-CONFIG_SECURITY_SELINUX=y
-# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
-# CONFIG_SECURITY_SELINUX_DEVELOP is not set
-CONFIG_SECURITY_SELINUX_AVC_STATS=y
-CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
-CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
-# CONFIG_SECURITY_SELINUX_DEBUG is not set
-# CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
@@ -2328,7 +2090,6 @@ CONFIG_INTEGRITY_AUDIT=y
 # CONFIG_IMA is not set
 # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
 # CONFIG_EVM is not set
-# CONFIG_DEFAULT_SECURITY_SELINUX is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
 CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,bpf"
 
diff --git a/modules/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config b/modules/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config
new file mode 100644
index 000000000..44652156d
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config
@@ -0,0 +1,10 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: CC-BY-SA-4.0
+CONFIG_DRM=y
+CONFIG_PCI=y
+# for now i915 is considered generic for many Intel x86_64
+# devices, not specific to Lenovo X1 Carbon. Even if not
+# generic to all x86_64 - including AMD CPU integrated GPUs.
+CONFIG_DRM_I915=y
+CONFIG_FB=y
+CONFIG_VIRTIO_INPUT=y
diff --git a/modules/hardware/x86_64-generic/kernel/guest/configs/guest.config b/modules/hardware/x86_64-generic/kernel/guest/configs/guest.config
new file mode 100644
index 000000000..757461724
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/guest/configs/guest.config
@@ -0,0 +1,15 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: CC-BY-SA-4.0
+#Below configurations needed for microvm kernel to boot
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+CONFIG_9P_FS=y
+CONFIG_OVERLAY_FS=y
+CONFIG_VIRTIO_MENU=y
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_MMIO=y
+CONFIG_VIRTIO_BLK=y
+CONFIG_VIRTIO_NET=y
+CONFIG_VIRTIO_VSOCKETS=y
diff --git a/modules/hardware/x86_64-generic/kernel/guest/default.nix b/modules/hardware/x86_64-generic/kernel/guest/default.nix
new file mode 100644
index 000000000..9d11d5288
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/guest/default.nix
@@ -0,0 +1,15 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{lib, ...}:
+with lib; {
+  options.ghaf.guest.kernel.hardening.enable = mkOption {
+    description = "Enable Ghaf Guest hardening feature";
+    type = types.bool;
+    default = false;
+  };
+  options.ghaf.guest.kernel.hardening.graphics.enable = mkOption {
+    description = "Enable support for Graphics in the Ghaf Guest";
+    type = types.bool;
+    default = false;
+  };
+}
diff --git a/modules/hardware/x86_64-generic/kernel/hardening.nix b/modules/hardware/x86_64-generic/kernel/hardening.nix
new file mode 100644
index 000000000..d1d61b1b9
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/hardening.nix
@@ -0,0 +1,26 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{...}: {
+  imports = [
+    ./host
+    ./guest
+    ./host/pkvm
+    # other host hardening modules - to be defined later
+  ];
+
+  config = {
+    # host kernel hardening
+    ghaf.host.kernel.hardening.enable = false;
+    ghaf.host.kernel.hardening.virtualization.enable = false;
+    ghaf.host.kernel.hardening.networking.enable = false;
+    ghaf.host.kernel.hardening.usb.enable = false;
+    ghaf.host.kernel.hardening.inputdevices.enable = false;
+    ghaf.host.kernel.hardening.debug.enable = false;
+    # host kernel hypervisor (KVM) hardening
+    ghaf.host.kernel.hardening.hypervisor.enable = false;
+    # guest kernel hardening
+    ghaf.guest.kernel.hardening.enable = false;
+    ghaf.guest.kernel.hardening.graphics.enable = false;
+    # other host hardening options - user space, etc. - to be defined later
+  };
+}
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/debug.config b/modules/hardware/x86_64-generic/kernel/host/configs/debug.config
new file mode 100644
index 000000000..130e33a36
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/configs/debug.config
@@ -0,0 +1,3 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: CC-BY-SA-4.0
+CONFIG_USB_USBNET=y
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/networking.config b/modules/hardware/x86_64-generic/kernel/host/configs/networking.config
new file mode 100644
index 000000000..340a2cd99
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/configs/networking.config
@@ -0,0 +1,27 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: CC-BY-SA-4.0
+CONFIG_INET=y
+CONFIG_PACKET=y
+CONFIG_BRIDGE=y
+CONFIG_NETDEVICES=y
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_XTABLES=y
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NF_NAT=y
+CONFIG_NFT_TUNNEL=y
+CONFIG_NFT_COMPAT=y
+CONFIG_NF_TABLES=y
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_TUN=y
+CONFIG_SYN_COOKIES=y
+CONFIG_NETWORK_SECMARK=y
+CONFIG_AUDIT=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_DEVELOP=n
+CONFIG_INET_DIAG=n
+CONFIG_NFT_NAT=y
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/usb.config b/modules/hardware/x86_64-generic/kernel/host/configs/usb.config
new file mode 100644
index 000000000..1dec60378
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/configs/usb.config
@@ -0,0 +1,7 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: CC-BY-SA-4.0
+CONFIG_USB_SUPPORT=y
+CONFIG_USB=y
+CONFIG_USB_STORAGE=y
+CONFIG_USB_UAS=y
+CONFIG_USB_XHCI_HCD=y
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config b/modules/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config
new file mode 100644
index 000000000..1e9c88a39
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config
@@ -0,0 +1,6 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: CC-BY-SA-4.0
+CONFIG_INPUT_EVDEV=y
+CONFIG_I2C=y
+CONFIG_I2C_DESIGNWARE_PLATFORM=y
+CONFIG_I2C_HID_ACPI=y
diff --git a/modules/hardware/x86_64-generic/kernel/host/configs/virtualization.config b/modules/hardware/x86_64-generic/kernel/host/configs/virtualization.config
new file mode 100644
index 000000000..cff6ffd51
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/configs/virtualization.config
@@ -0,0 +1,27 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: CC-BY-SA-4.0
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_POSIX_TIMERS=y
+CONFIG_PRINTK=y
+CONFIG_BASE_FULL=y
+CONFIG_VIRTUALIZATION=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_KVM=y
+CONFIG_KVM_INTEL=y
+CONFIG_KSM=y
+CONFIG_LPC_SCH=y
+CONFIG_MFD_INTEL_LPSS_PCI=y
+CONFIG_VFIO=y
+CONFIG_VFIO_PCI=y
+CONFIG_VIRT_DRIVERS=y
+CONFIG_VHOST_MENU=y
+CONFIG_VHOST_NET=y
+CONFIG_VHOST_VSOCK=y
+CONFIG_VSOCKETS=y
+CONFIG_IRQ_REMAP=y
+CONFIG_RANDOM_KMALLOC_CACHES=y
+CONFIG_TRIM_UNUSED_KSYMS=n
+CONFIG_FAIL_FUTEX=n
+CONFIG_FB=n
+
diff --git a/modules/hardware/x86_64-generic/kernel/host/default.nix b/modules/hardware/x86_64-generic/kernel/host/default.nix
new file mode 100644
index 000000000..636923430
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/default.nix
@@ -0,0 +1,66 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  # Importing kernel builder function from packages and checking hardening options
+  buildKernel = import ../../../../../packages/kernel {inherit config pkgs lib;};
+  config_baseline = ../configs/ghaf_host_hardened_baseline-x86;
+  host_hardened_kernel = buildKernel {
+    inherit config_baseline;
+    host_build = true;
+  };
+
+  enable_kernel_hardening = config.ghaf.host.kernel.hardening.enable;
+in
+  with lib; {
+    options.ghaf.host.kernel.hardening.enable = mkOption {
+      description = "Enable Ghaf Host hardening feature";
+      type = types.bool;
+      default = false;
+    };
+
+    options.ghaf.host.kernel.hardening.virtualization.enable = mkOption {
+      description = "Enable support for virtualization in the Ghaf Host";
+      type = types.bool;
+      default = false;
+    };
+
+    options.ghaf.host.kernel.hardening.networking.enable = mkOption {
+      description = "Enable support for networking in the Ghaf Host";
+      type = types.bool;
+      default = false;
+    };
+
+    options.ghaf.host.kernel.hardening.usb.enable = mkOption {
+      description = "Enable support for USB in the Ghaf Host";
+      type = types.bool;
+      default = false;
+    };
+
+    options.ghaf.host.kernel.hardening.inputdevices.enable = mkOption {
+      description = "Enable support for input devices in the Ghaf Host";
+      type = types.bool;
+      default = false;
+    };
+
+    options.ghaf.host.kernel.hardening.debug.enable = mkOption {
+      description = "Enable support for debug features in the Ghaf Host";
+      type = types.bool;
+      default = false;
+    };
+
+    config = mkIf enable_kernel_hardening {
+      boot.kernelPackages = pkgs.linuxPackagesFor host_hardened_kernel;
+      # https://github.com/NixOS/nixpkgs/issues/109280#issuecomment-973636212
+      nixpkgs.overlays = [
+        (_final: prev: {
+          makeModulesClosure = x:
+            prev.makeModulesClosure (x // {allowMissing = true;});
+        })
+      ];
+    };
+  }
diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix
new file mode 100644
index 000000000..f47651f59
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix
@@ -0,0 +1,48 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  pkvmKernel = pkgs.linux_6_1.override {
+    argsOverride = rec {
+      src = pkgs.fetchurl {
+        url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
+        hash = "sha256-qH4kHsFdU0UsTv4hlxOjdp2IzENrW5jPbvsmLEr/FcA=";
+      };
+      version = "6.1.55";
+      modDirVersion = version;
+    };
+  };
+
+  pkvm_patch = [
+    {
+      name = "pkvm-patch";
+      patch = ../../../../../virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch;
+      structuredExtraConfig = with lib.kernel; {
+        KVM_INTEL = yes;
+        KSM = no;
+        PKVM_INTEL = yes;
+        PKVM_INTEL_DEBUG = yes;
+        PKVM_GUEST = yes;
+        EARLY_PRINTK_USB_XDBC = yes;
+        RETPOLINE = yes;
+      };
+    }
+  ];
+
+  hyp_cfg = config.ghaf.host.kernel.hardening.hypervisor;
+in
+  with lib; {
+    options.ghaf.host.kernel.hardening.hypervisor.enable = mkOption {
+      description = "Enable Hypervisor hardening feature";
+      type = types.bool;
+      default = false;
+    };
+    config = mkIf hyp_cfg.enable {
+      boot.kernelPackages = pkgs.linuxPackagesFor pkvmKernel;
+      boot.kernelPatches = pkvm_patch;
+    };
+  }
diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix
new file mode 100644
index 000000000..288fd2e55
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix
@@ -0,0 +1,6 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{pkgs, ...}: let
+  config = pkgs.nixos [./test-configuration.nix];
+in
+  config.config.system.build.toplevel
diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix
new file mode 100644
index 000000000..6dfb78431
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix
@@ -0,0 +1,22 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  ...
+}: {
+  imports = [
+    ../default.nix
+  ];
+
+  # pkvm hardening is generic to all x86_64 devices
+  config.ghaf.host.kernel.hardening.hypervisor.enable = true;
+
+  # required to module test a module via top level configuration
+  config.boot.loader.systemd-boot.enable = true;
+  config.fileSystems."/" = {
+    device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000";
+    fsType = "ext4";
+  };
+  config.system.stateVersion = lib.trivial.release;
+}
diff --git a/modules/hardware/x86_64-generic/kernel/host/test/default.nix b/modules/hardware/x86_64-generic/kernel/host/test/default.nix
new file mode 100644
index 000000000..288fd2e55
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/test/default.nix
@@ -0,0 +1,6 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{pkgs, ...}: let
+  config = pkgs.nixos [./test-configuration.nix];
+in
+  config.config.system.build.toplevel
diff --git a/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix b/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix
new file mode 100644
index 000000000..7b0688dfe
--- /dev/null
+++ b/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix
@@ -0,0 +1,31 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  ...
+}: {
+  imports = [
+    ../default.nix
+    # import guest also to bring the defaults (false) to scope
+    ../../guest/default.nix
+  ];
+
+  # baseline, virtualization and network hardening are
+  # generic to all x86_64 devices
+  config.ghaf.host.kernel.hardening.enable = true;
+  config.ghaf.host.kernel.hardening.virtualization.enable = true;
+  config.ghaf.host.kernel.hardening.networking.enable = true;
+  config.ghaf.host.kernel.hardening.inputdevices.enable = true;
+  # usb/debug hardening is host optional but required for -debug builds
+  config.ghaf.host.kernel.hardening.usb.enable = true;
+  config.ghaf.host.kernel.hardening.debug.enable = true;
+
+  # required to module test a module via top level configuration
+  config.boot.loader.systemd-boot.enable = true;
+  config.fileSystems."/" = {
+    device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000";
+    fsType = "ext4";
+  };
+  config.system.stateVersion = lib.trivial.release;
+}
diff --git a/modules/host/default.nix b/modules/host/default.nix
index 536e8c501..3c799ba46 100644
--- a/modules/host/default.nix
+++ b/modules/host/default.nix
@@ -15,8 +15,6 @@
 
     ../../overlays/custom-packages
 
-    ./kernel.nix
-
     # TODO: Refactor this under virtualization/microvm/host/networking.nix
     ./networking.nix
   ];
diff --git a/modules/host/kernel.nix b/modules/host/kernel.nix
deleted file mode 100644
index e0e68149c..000000000
--- a/modules/host/kernel.nix
+++ /dev/null
@@ -1,114 +0,0 @@
-# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
-# SPDX-License-Identifier: Apache-2.0
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  baseKernel =
-    if hyp_cfg.enable
-    then
-      pkgs.linux_6_1.override {
-        argsOverride = rec {
-          src = pkgs.fetchurl {
-            url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
-            hash = "sha256-qH4kHsFdU0UsTv4hlxOjdp2IzENrW5jPbvsmLEr/FcA=";
-          };
-          version = "6.1.55";
-          modDirVersion = "6.1.55";
-        };
-      }
-    else pkgs.linux_latest;
-  hardened_kernel = pkgs.linuxManualConfig rec {
-    inherit (baseKernel) src modDirVersion kernelPatches;
-    version = "${baseKernel.version}-ghaf-hardened";
-    /*
-    baseline "make tinyconfig"
-    - enabled for 64-bit, TTY, printk and initrd
-    - fixed following NixOS required assertions via "make menuconfig" + search
-    (following is documented here to highlight NixOS required (asserted) kernel features)
-    ❯ nix build .#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug --accept-flake-config
-    error:
-       Failed assertions:
-       - CONFIG_DEVTMPFS is not enabled!
-       - CONFIG_CGROUPS is not enabled!
-       - CONFIG_INOTIFY_USER is not enabled!
-       - CONFIG_SIGNALFD is not enabled!
-       - CONFIG_TIMERFD is not enabled!
-       - CONFIG_EPOLL is not enabled!
-       - CONFIG_NET is not enabled!
-       - CONFIG_SYSFS is not enabled!
-       - CONFIG_PROC_FS is not enabled!
-       - CONFIG_FHANDLE is not enabled!
-       - CONFIG_CRYPTO_USER_API_HASH is not enabled!
-       - CONFIG_CRYPTO_HMAC is not enabled!
-       - CONFIG_CRYPTO_SHA256 is not enabled!
-       - CONFIG_DMIID is not enabled!
-       - CONFIG_AUTOFS4_FS is not enabled!
-       - CONFIG_TMPFS_POSIX_ACL is not enabled!
-       - CONFIG_TMPFS_XATTR is not enabled!
-       - CONFIG_SECCOMP is not enabled!
-       - CONFIG_TMPFS is not yes!
-       - CONFIG_BLK_DEV_INITRD is not yes!
-       - CONFIG_EFI_STUB is not yes!
-       - CONFIG_MODULES is not yes!
-       - CONFIG_BINFMT_ELF is not yes!
-       - CONFIG_UNIX is not enabled!
-       - CONFIG_INOTIFY_USER is not yes!
-       - CONFIG_NET is not yes!
-    ...
-    additional NixOS dependencies (fixed):
-    > modprobe: FATAL: Module uas not found ...
-    > modprobe: FATAL: Module nvme not found ...
-    ... < many packages enabled as M,
-          others allowMissing = true with overlay
-          - see implementation below under cfg.enable
-    - also see https://github.com/NixOS/nixpkgs/issues/109280
-      for the context >
-    */
-
-    configfile = ./ghaf_host_hardened_baseline;
-    allowImportFromDerivation = true;
-  };
-
-  pkvm_patch = lib.mkIf config.ghaf.hardware.x86_64.common.enable [
-    {
-      name = "pkvm-patch";
-      patch = ../virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch;
-      structuredExtraConfig = with lib.kernel; {
-        KVM_INTEL = yes;
-        KSM = no;
-        PKVM_INTEL = yes;
-        PKVM_INTEL_DEBUG = yes;
-        PKVM_GUEST = yes;
-        EARLY_PRINTK_USB_XDBC = yes;
-        RETPOLINE = yes;
-      };
-    }
-  ];
-
-  kern_cfg = config.ghaf.host.kernel_hardening;
-  hyp_cfg = config.ghaf.host.hypervisor_hardening;
-in
-  with lib; {
-    options.ghaf.host.kernel_hardening = {
-      enable = mkEnableOption "Host kernel hardening";
-    };
-
-    options.ghaf.host.hypervisor_hardening = {
-      enable = mkEnableOption "Hypervisor hardening";
-    };
-
-    config = mkIf kern_cfg.enable {
-      boot.kernelPackages = pkgs.linuxPackagesFor hardened_kernel;
-      boot.kernelPatches = mkIf (hyp_cfg.enable && "${baseKernel.version}" == "6.1.55") pkvm_patch;
-      # https://github.com/NixOS/nixpkgs/issues/109280#issuecomment-973636212
-      nixpkgs.overlays = [
-        (_final: prev: {
-          makeModulesClosure = x:
-            prev.makeModulesClosure (x // {allowMissing = true;});
-        })
-      ];
-    };
-  }
diff --git a/modules/module-list.nix b/modules/module-list.nix
index 5df5ba60f..a585301ba 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -11,6 +11,7 @@
   ./hardware/definition.nix
   ./hardware/nvidia-jetson-orin/optee.nix
   ./hardware/x86_64-linux.nix
+  ./hardware/x86_64-generic/kernel/hardening.nix
   ./profiles/applications.nix
   ./profiles/debug.nix
   ./profiles/graphics.nix
diff --git a/modules/virtualization/microvm/guivm.nix b/modules/virtualization/microvm/guivm.nix
index a2deb1086..6fe45c9ff 100644
--- a/modules/virtualization/microvm/guivm.nix
+++ b/modules/virtualization/microvm/guivm.nix
@@ -118,6 +118,11 @@
   };
   cfg = config.ghaf.virtualization.microvm.guivm;
   vsockproxy = pkgs.callPackage ../../../packages/vsockproxy {};
+
+  # Importing kernel builder function and building guest_graphics_hardened_kernel
+  buildKernel = import ../../../packages/kernel {inherit config pkgs lib;};
+  config_baseline = ../../hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86;
+  guest_graphics_hardened_kernel = buildKernel {inherit config_baseline;};
 in {
   options.ghaf.virtualization.microvm.guivm = {
     enable = lib.mkEnableOption "GUIVM";
@@ -159,6 +164,10 @@ in {
       config =
         guivmBaseConfiguration
         // {
+          boot.kernelPackages =
+            lib.mkIf config.ghaf.guest.kernel.hardening.graphics.enable
+            (pkgs.linuxPackagesFor guest_graphics_hardened_kernel);
+
           imports =
             guivmBaseConfiguration.imports
             ++ cfg.extraModules;
diff --git a/nix/checks.nix b/nix/checks.nix
index 4515c5cba..767058c14 100644
--- a/nix/checks.nix
+++ b/nix/checks.nix
@@ -16,6 +16,12 @@
             reuse lint
             touch $out
           '';
+        module-test-hardened-generic-host-kernel =
+          pkgs.callPackage ../modules/hardware/x86_64-generic/kernel/host/test {inherit pkgs;};
+        module-test-hardened-lenovo-x1-guest-guivm-kernel =
+          pkgs.callPackage ../modules/hardware/lenovo-x1/kernel/guest/test {inherit pkgs;};
+        module-test-hardened-pkvm-kernel =
+          pkgs.callPackage ../modules/hardware/x86_64-generic/kernel/host/pkvm/test {inherit pkgs;};
       }
       // (lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages);
   };
diff --git a/nix/devshell/kernel.nix b/nix/devshell/kernel.nix
index 66157a260..8702c0d3d 100644
--- a/nix/devshell/kernel.nix
+++ b/nix/devshell/kernel.nix
@@ -9,6 +9,7 @@
   }: let
     mkKernelShell = {
       platform,
+      arch ? "",
       linux,
       extraPackages ? [],
       shellHook ? "",
@@ -44,11 +45,12 @@
           export PS1="[ghaf-kernel-${platform}-devshell:\w]$ "
         '';
         # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707
-        checkPhase = "cp ../modules/host/ghaf_host_hardened_baseline-${platform} ./.config && make -j$(nproc)";
+        checkPhase = "cp ../modules/hardware/${platform}/kernel/configs/ghaf_host_hardened_baseline-${arch} ./.config && make -j$(nproc)";
       };
   in {
     devShells.kernel-x86 = mkKernelShell {
-      platform = "x86";
+      platform = "x86_64-generic";
+      arch = "x86";
       linux = pkgs.linux_latest;
     };
     devShells.kernel-jetson-orin = mkKernelShell {
diff --git a/packages/kernel/default.nix b/packages/kernel/default.nix
new file mode 100644
index 000000000..eef8a3500
--- /dev/null
+++ b/packages/kernel/default.nix
@@ -0,0 +1,81 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: CC-BY-SA-4.0
+{
+  config,
+  pkgs,
+  lib,
+}: {
+  kernelPatches ? [],
+  config_baseline,
+  host_build ? false,
+}: let
+  kernel_package = pkgs.linux_latest;
+  version = "${kernel_package.version}-ghaf-hardened";
+  modDirVersion = version;
+  base_kernel =
+    pkgs.linuxManualConfig rec
+    {
+      inherit (kernel_package) src;
+      inherit version modDirVersion kernelPatches;
+      /*
+      NixOS required (asserted) kernel features
+      to comply with no import from derivation.
+      For the actual kernel build these config
+      options must come via the kernel
+      config_baseline argument
+      */
+      config = {
+        CONFIG_DEVTMPFS = "y";
+        CONFIG_CGROUPS = "y";
+        CONFIG_INOTIFY_USER = "y";
+        CONFIG_SIGNALFD = "y";
+        CONFIG_TIMERFD = "y";
+        CONFIG_EPOLL = "y";
+        CONFIG_NET = "y";
+        CONFIG_SYSFS = "y";
+        CONFIG_PROC_FS = "y";
+        CONFIG_FHANDLE = "y";
+        CONFIG_CRYPTO_USER_API_HASH = "y";
+        CONFIG_CRYPTO_HMAC = "y";
+        CONFIG_CRYPTO_SHA256 = "y";
+        CONFIG_DMIID = "y";
+        CONFIG_AUTOFS_FS = "y";
+        CONFIG_TMPFS_POSIX_ACL = "y";
+        CONFIG_TMPFS_XATTR = "y";
+        CONFIG_SECCOMP = "y";
+        CONFIG_TMPFS = "y";
+        CONFIG_BLK_DEV_INITRD = "y";
+        CONFIG_EFI_STUB = "y";
+        CONFIG_MODULES = "y";
+        CONFIG_BINFMT_ELF = "y";
+        CONFIG_UNIX = "y";
+      };
+      configfile = config_baseline;
+    };
+
+  generic_host_configs = ../../modules/hardware/x86_64-generic/kernel/host/configs;
+  generic_guest_configs = ../../modules/hardware/x86_64-generic/kernel/guest/configs;
+  # TODO: refactor - do we yet have any X1 specific host kernel configuration options?
+  # - we could add a configuration fragment for host debug via usb-ethernet-adapter(s)
+
+  kernel_features =
+    lib.optionals config.ghaf.host.kernel.hardening.virtualization.enable ["${generic_host_configs}/virtualization.config"]
+    ++ lib.optionals config.ghaf.host.kernel.hardening.networking.enable ["${generic_host_configs}/networking.config"]
+    ++ lib.optionals config.ghaf.host.kernel.hardening.usb.enable ["${generic_host_configs}/usb.config"]
+    ++ lib.optionals config.ghaf.host.kernel.hardening.inputdevices.enable ["${generic_host_configs}/user-input-devices.config"]
+    ++ lib.optionals config.ghaf.host.kernel.hardening.debug.enable ["${generic_host_configs}/debug.config"]
+    ++ lib.optionals (config.ghaf.guest.kernel.hardening.enable && !host_build) ["${generic_guest_configs}/guest.config"]
+    ++ lib.optionals (config.ghaf.guest.kernel.hardening.graphics.enable && !host_build) ["${generic_guest_configs}/display-gpu.config"];
+
+  kernel =
+    if lib.length kernel_features > 0
+    then
+      base_kernel.overrideAttrs (_old: {
+        inherit kernel_features;
+        postConfigure = ''
+          ./scripts/kconfig/merge_config.sh  -O $buildRoot $buildRoot/.config  $kernel_features;
+        '';
+      })
+    else base_kernel;
+in
+  kernel
diff --git a/targets/lenovo-x1-carbon.nix b/targets/lenovo-x1-carbon.nix
index 1b7a8a0c2..a920897ec 100644
--- a/targets/lenovo-x1-carbon.nix
+++ b/targets/lenovo-x1-carbon.nix
@@ -320,9 +320,16 @@
 
             ghaf = {
               hardware.definition = hwDefinition;
-              host.kernel_hardening.enable = false;
+              # To enable guest hardening enable host hardening first
+              host.kernel.hardening.enable = false;
+              host.kernel.hardening.virtualization.enable = false;
+              host.kernel.hardening.networking.enable = false;
+              host.kernel.hardening.inputdevices.enable = false;
 
-              host.hypervisor_hardening.enable = false;
+              guest.kernel.hardening.enable = false;
+              guest.kernel.hardening.graphics.enable = false;
+
+              host.kernel.hardening.hypervisor.enable = false;
 
               hardware.x86_64.common.enable = true;
 
@@ -521,6 +528,11 @@
     {
       ghaf.host.secureboot.enable = false;
     }
+    ../modules/hardware/x86_64-generic/kernel/host
+    {
+      ghaf.host.kernel.hardening.usb.enable = false;
+      ghaf.host.kernel.hardening.debug.enable = false;
+    }
   ];
   releaseModules = [
     {